03-20-2018 09:34 AM - edited 02-21-2020 07:32 AM
Im currently trying to configure VPN on my ASA 5515 but the command "crypto map" is not available on CLI
The ios version is 8.6(1)2.
Here is a an export of all the enabled features :
Maximum Physical Interfaces : Unlimited perpetual Maximum VLANs : 100 perpetual Inside Hosts : Unlimited perpetual Failover : Active/Active perpetual VPN-DES : Enabled perpetual VPN-3DES-AES : Enabled perpetual Security Contexts : 2 perpetual GTP/GPRS : Disabled perpetual AnyConnect Premium Peers : 2 perpetual AnyConnect Essentials : Disabled perpetual Other VPN Peers : 250 perpetual Total VPN Peers : 250 perpetual Shared License : Disabled perpetual AnyConnect for Mobile : Disabled perpetual AnyConnect for Cisco VPN Phone : Disabled perpetual Advanced Endpoint Assessment : Disabled perpetual UC Phone Proxy Sessions : 2 perpetual Total UC Proxy Sessions : 2 perpetual Botnet Traffic Filter : Disabled perpetual Intercompany Media Engine : Disabled perpetual IPS Module : Disabled perpetual
As you can see, the required "VPN-3DES-AES" is enable. Still im not able to use the "crypto map" command. Only "ca" and "key" options are available.
Ive got Security Plus license on the ASA.
Any idea of what i am missing there ?
Thanks for your help
Solved! Go to Solution.
03-22-2018 07:30 AM
So it shows you have sufficient privilege but you are in multiple context mode.
When you have a multiple context ASA (and version 8.6) VPN is not supported at all.
Site-site VPN support with multiple context was added in release 9.0(1) and remote access SSL VPN in ASA 9.5(2).
03-21-2018 09:30 AM
Did you check if you are running a no payload encryption image ?
03-22-2018 01:53 AM - edited 03-22-2018 06:06 AM
You might have nailed it Bogdan. The os we are running is a asa861-2-smp-k8.bin but i cant figure out if it support VPN or not.
03-22-2018 06:58 AM
Based on the image name it is not npe.
You could also try to upgrade the ASA to a newer version.
03-22-2018 07:13 AM
All ASAs support site-site VPN.
Are you in single or multiple context mode? "show mode"
Does your user have level 15 privilege? "show curpriv"
03-22-2018 07:20 AM
Hello Marvin,
Here is the result of your commands :
ciscoasa/mycontext(config)# show mode Security context mode: multiple ciscoasa/mycontext(config)# show cur ciscoasa/mycontext(config)# show curpriv Username : enable_15 Current privilege level : 15 Current Mode/s : P_PRIV P_CONF
03-22-2018 07:30 AM
So it shows you have sufficient privilege but you are in multiple context mode.
When you have a multiple context ASA (and version 8.6) VPN is not supported at all.
Site-site VPN support with multiple context was added in release 9.0(1) and remote access SSL VPN in ASA 9.5(2).
03-22-2018 07:55 AM
Thanks a lot Marvin, i missed that part.
I'm gonna find a way to merge my contexts into one so i can use site-to-site VPN.
03-22-2018 08:48 AM
You're welcome.
You should really upgrade to a more current release for features, security and code stability.
The recommended version for an ASA 5515-X is currently one of the recent interim builds of 9.4(4), 9.6(4) or 9.8(2).
04-04-2018 07:01 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: