10-18-2013 07:31 AM - edited 03-07-2019 04:06 PM
Phase 1 is not comming up.
We have cisco ASA 5520 and peer end Watchgurad device.
I have verified the parameters of Phase1 it is same at both the ends and Peer IP configured correctly.
But sh crypto isakmp sa detail | in <peer-ip> , doesnt show anything
Pinging to peer IP is responding.
Dont know how to troubleshoot this further. I have arround 20 tunnels configured at my end and every L2L tunnel is working fine. This is in production and i cannot use debug command on my firewall.
Kindly, help me experts on how to troubleshoot this your inouts are very much valuable here.
Thank you
10-18-2013 08:11 AM
Can you run debugs on the Watchguard? Without a debug from one end or the other, it will be hard to tell what's wrong.
10-18-2013 08:39 AM
watchguard is a remote peer device and i hav no control on that device .couldnt perform
10-18-2013 10:10 AM
Hi,
Perform a capture on the ASA and analyse with wireshark on a machine.
also post the tunnel config as well as the NAT config and sh route output.
Regards
Alain
Don't forget to rate helpful posts.
10-18-2013 10:41 AM
How to perform the capture of L2L VPN's .. in Cisco ASA. can you please advise it will be helpfull to me.
Thanks,
10-18-2013 12:32 PM
Hi,
you must see if the isakmp phase 1 has got some problems so you can do capture on the interface where crypto map is enabled with an ACL permitting udp port 500(isakmp) and copy /pcap capture: tftp://x.x.x.x where x.x.x.x is a machine with wireshark installed and a tftpserver.
Regards
Alain
Don't forget to rate helpful posts.
10-18-2013 02:09 PM
There are about 50 L2L tunnels up and running on the same device. If i have to capture how could i differentiate ok i may search out with the peer IP. I think thats too mess.
How can i prove this that the phase 1 Isakmp sa's are sent to the peer IP without capturing and debuggin. can i see anything live happening with the command or gui mode . As f i prove that, then i could say peer is not responding or something happening at their end.
I have tried sh crypto isakmp sa
cleared the phase1 and phase 2 for the tunnel.
by clear crypto ipsec sa peer <>
clear crypto isakmp sa
By the above command i dont see any output .
Kindly, help me . your inputs are much valuable to me.
Thanks
10-18-2013 02:20 PM
Have you done a traceroute to the remote network to see what hops it takes? Is it missing the crypto ACL on the ASA?
If the ASA is even attempting phase 1, you'll see something when you do the sh crypto command. If you initiate traffic to the remote side, then run the sh command immediately, you should see mm_wait or something like that. If there is no attempt, the crypto ACL might be incorrect or not applied.
You can watch the logs through ASDM and search for traffic on that particular peer address.
10-19-2013 05:24 PM
I have performed the traceroute and its reaching destination within 10 hops.
Packet-tracer shows it is passing the Nat0 and Crypto ACL at VPN it drops.
when I perform sh crypto isakmp sa detail | in
Kindly, Provide me the inputs as i have to see whethere the Phase1 parameters are actually sent to peer IP.
10-20-2013 04:06 PM
I meant a traceroute from your private network to the remote side to see if it passed the firewall without hitting the encryption.
Can you ask someone at the other side if they can check for the Phase 1 info, whoever the person is that manages the other firewall?
Also, did you check the ASDM logs and filter for just that peer?
10-21-2013 06:04 AM
Exhanged the phase1 and 2 poilcies, Crypto acl , pre shared key and everything matches and looks good.
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
I have tried to capture packets to peer IP, below is the output. I have tried to capture the same with acl for another peer IP tunnel and i could see some traffic.
From ASDM i dont know how to check this, can you help me if you can.
capture sn88 access-list sn8 interface ouTSIDE
access-list sn8 line 1 extended permit tcp host 174.46.X.X any (hitcnt=0) 0x295dbc33
MGRDFW1# sh capture sn88
0 packet captured
0 packet shown
MGRDFW1# sh crypto isakmp sa | beg 174.46.X.X
MGRDFW1#
MGRDFW1#
Packet-tracer on the firewall, traceroute is moving out of the firewall encryption and going to internet. Nat 0 is happening too.
Dont know how could i troubleshoot this further ..
thank you experts. waiting for your valuable inputs.
10-21-2013 08:40 AM
Packet-tracer on the firewall, traceroute is moving out of the firewall encryption and going to internet. Nat 0 is happening too.
Is this traceroute from a private host to a private host on the other side of the tunnel?
On ASDM, go to Monitoring-Logging-Real Time Log Viewer and enter the remote peer in the filter and then do your testing.
10-21-2013 07:15 AM
Have you created a vpn filter for the debug log on the asa, it must report something when trying to establish the tunnel.
Can you ping the peer and vice versa.
Jon
Sent from Cisco Technical Support iPhone App
12-03-2013 07:21 PM
Hello All thank you for all the helpful inputs to me.
This has got solved. as I have added a new Crytp Map entry rather than existing Crypto map on the firewall.
I have used crypto map-outside rather than crypto map 11 . Once i changed the crypto map . the tunnel is up and i see the traffic flowing through it.
once again thank you.
Thanks.
12-03-2013 07:22 PM
Hello All thank you for all the helpful inputs to me.
This has got solved. as I have added a new Crytp Map entry rather than existing Crypto map on the firewall.
I have used crypto map-outside rather than crypto map 11 . Once i changed the crypto map . the tunnel is up and i see the traffic flowing through it.
once again thank you.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide