Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec tunnel not coming up between two ASA-5540s.

I've included the appropriate config lines of two ASA-5540s that I'm trying to get a lan-2-lan tunnel up between. The first few lines show the log messages that are generated when I try to ping from either host on either side.

Am I missing something that will keep the tunnel from coming up?

4 IP = 10.10..1.147, Error: Unable to remove PeerTblEntry

3 IP = 10.10..1.147, Removing peer from peer table failed, no match!

6 IP = 10.10..1.147, P1 Retransmit msg dispatched to MM FSM

5 IP = 10.10..1.147, Duplicate Phase 1 packet detected. Retransmitting last packet.

6 IP = 10.10..1.147, P1 Retransmit msg dispatched to MM FSM

5 IP = 10.10..1.147, Duplicate Phase 1 packet detected. Retransmitting last packet.

4 IP = 10.10..1.147, Error: Unable to remove PeerTblEntry

3 IP = 10.10..1.147, Removing peer from peer table failed, no match!

6 IP = 10.10..1.147, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

6 IP = 10.10..1.147, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

6 IP = 10.10..1.147, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.

5 IP = 10.10..1.147, IKE Initiator: New Phase 1, Intf inside, IKE Peer 10.10..1.147 local Proxy Address 10.10..1.135, remote Proxy Address 10.10..1.155, Crypto map (outside_map0)

ROC-ASA5540-A# sh run

!

ASA Version 8.0(3)

!

hostname ROC-ASA5540-A

names

name 10.10..1.135 GHC_Laptop description For VPN testing

name 10.10..1.155 SunMed_pc description For VPN testing

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif inside

security-level 100

ip address 10.10..1.129 255.255.255.240

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 10.10..1.145 255.255.255.248

!

!

access-list outside_2_cryptomap extended permit ip host GHC_Laptop host SunMed_pc

!

asdm image disk0:/asdm-603.bin

!

route outside 10.10..1.152 255.255.255.248 10.10..1.147 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map0 2 match address outside_2_cryptomap

crypto map outside_map0 2 set peer 10.10..1.147

crypto map outside_map0 2 set transform-set ESP-3DES-SHA

crypto map outside_map0 2 set nat-t-disable

crypto map outside_map0 interface outside

crypto isakmp enable outside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

group-policy Lan-2-Lan_only internal

group-policy Lan-2-Lan_only attributes

vpn-filter none

vpn-tunnel-protocol IPSec

tunnel-group 10.10..1.147 type ipsec-l2l

tunnel-group 10.10..1.147 ipsec-attributes

pre-shared-key *

!

ROC-ASA5540-A#

----------------------------------------------------------

ROC-ASA5540-B# sh run

: Saved

:

ASA Version 8.0(3)

!

hostname ROC-ASA5540-B

!

names

name 10.10..1.135 GHC_laptop

name 10.10..1.155 SunMed_PC

!

interface GigabitEthernet0/0

speed 100

duplex full

nameif inside

security-level 100

ip address 10.10..1.153 255.255.255.248

!

interface GigabitEthernet0/3

nameif outside

security-level 0

ip address 10.10..1.147 255.255.255.248

!

access-list outside_cryptomap extended permit ip host SunMed_PC host GHC_laptop

!

asdm image disk0:/asdm-603.bin

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map2 1 match address outside_cryptomap

crypto map outside_map2 1 set peer 10.10..1.145

crypto map outside_map2 1 set transform-set ESP-3DES-SHA

crypto map outside_map2 1 set nat-t-disable

crypto map outside_map2 interface outside

crypto isakmp enable inside

crypto isakmp policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

group-policy Lan-2-Lan internal

group-policy Lan-2-Lan attributes

vpn-tunnel-protocol IPSec

tunnel-group 10.10..1.145 type ipsec-l2l

tunnel-group 10.10..1.145 ipsec-attributes

pre-shared-key *

!

ROC-ASA5540-B#

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: IPSec tunnel not coming up between two ASA-5540s.

On the ROC-ASA5540-B ASA, you have "isakmp enable inside", this should be "isakmp enable outside".

Please reconfigure the ASA and let me know how it goes.

Regards,

Arul

** Please rate helpful posts **

1 REPLY
Cisco Employee

Re: IPSec tunnel not coming up between two ASA-5540s.

On the ROC-ASA5540-B ASA, you have "isakmp enable inside", this should be "isakmp enable outside".

Please reconfigure the ASA and let me know how it goes.

Regards,

Arul

** Please rate helpful posts **

1165
Views
0
Helpful
1
Replies