Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3036
Views
0
Helpful
2
Replies

Tunnel Manager has failed to establish an L2L SA

Tuomas
Level 1
Level 1

‎03-27-2014 07:08 AM - edited ‎02-21-2020 05:08 AM

Hi,

We have to remote sites which are connected with Cisco ASA appliances to our data center and the other remote site's ASA has some very strange log entries.

Strange thing is that the site-to-site VPN connection works anyway and other ASA appliances have no similar log entries.

Here is some of the configurations (I tried to shorten it) from the ASA that has these strange log entries:

ASA Version 8.4(3)
!
hostname xxxxxxxx
domain-name xxxxxx
enable password xxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxx encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address xxxxxxxxxxxxxx 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxxxxxxxxxx 255.255.255.192
!
boot system disk0:/asa843-k8.bin
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00

snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto map outside_map0 2 match address outside_cryptomap_1
crypto map outside_map0 2 set pfs
crypto map outside_map0 2 set peer xxxxxxxxxxxxxxx
crypto map outside_map0 2 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map0 interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400

ntp server xxxxxxxxxxxxx source outside prefer
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy_xxxxxxxxxxxxx internal
group-policy GroupPolicy_xxxxxxxxxxxxx attributes
 vpn-tunnel-protocol ikev1
username admin password xxxxxxxxxxxxx encrypted privilege 15
tunnel-group xxxxxxxxxxxxx type ipsec-l2l
tunnel-group xxxxxxxxxx ipsec-attributes
 ikev1 pre-shared-key xxxxxxxxxxxxx
!

: end

 

 

Labels:
0 Helpful
2 Replies 2

Joe Doran
Level 1
Level 1

‎03-27-2014 03:22 PM

Turn your logging level up to 5. There is no remote IP address specified in the log entries above, so you don't know exactly the endpoint IP related to these syslog entries. Once you learn the far end IP you can be more focused in your troubleshooting and remediation efforts.

0 Helpful

Tuomas
Level 1
Level 1
In response to Joe Doran

‎03-28-2014 12:13 AM

Hi Joe and thanks for quick reply,

Here is screenshot with logging level 5.

I have wiped out our data center's ASA's public IP from the log entries that show setting up tunnel succesfully. But unsuccesfull tunnel settings have no additional information.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card