It's already 2:00 AM here and I can't still make this to work.
We have an ASA5510 with static IP which will serve as the new VPN hub to 3 spoke sites that has PIX, 1841 and 2821 . ASA5510 L2L connection to PIX with static IP works well. But the ASA5510 L2L link to 1841 with dynamic IP (ADSL) and also, the ASA5510 L2L link to 2821 both don't work.
Links from PIX to ASA5510, 1841 and 2821 are all up.
I'm attaching the config of ASA5510 and the 1841 to start.
Grateful if someone can look at the configs and point me to the right configuration.
Thanks in advance.
Check the line status of all the links.Try to assign static ip and see if it works.If it works then problem is with the ip assignment.
Thanks for your reply.
The L2L links with both static IPs are up now but I can't make the L2L (dynamic to static) work. I already put the crypto dynamic at high sequence and I also added the line:
tunnel-group-map default-group DefaultL2LGroup
See my crypto. I don't know what parameters I still need to add.
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 6000 match address auh2dxb_acl
crypto dynamic-map outside_dyn_map 6000 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 6000 set reverse-route
crypto map outside_map 10 match address auh2mct_acl
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 22.214.171.124
crypto map outside_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 30 match address auh2kub_acl
crypto map outside_map 30 set pfs
crypto map outside_map 30 set peer 126.96.36.199
crypto map outside_map 30 set transform-set ESP-3DES-MD5
crypto map outside_map 6000 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
crypto isakmp policy 65535
crypto isakmp nat-traversal 20
Can someone shed a light what this debug error means and what I need to look at to resolve the issue?
Received encrypted packet with no matching SA, dropping
I did not notice this when it was first posted, and I admit that I have not looked closely at the configs that you posted, on the assumption that in the passing time you may have modified something. My guess about the debug message is that the timers may not match which results in one peer deleting the SA while the other peer is still using it. Can you check the timers and verify that they match? And if they do match perhaps you can post fresh copies of the configs?
I'm attaching the configs of the ASA5510 (static serial), PIX (static serial), 1841 (dynamic ADSL) and 2821 (static SDSL). The PIX, 1841 and 2821 has to connect to ASA5510 which will become the new hub. At the moment, the PIX-ASA5510 is connected and stable. The 1841-ASA5510 is also up but intermittently I lost the connection. At this juncture, I can't make the 2821 establish a VPN link to ASA5510.
On the other hand, the PIX, considered as the old hub, has stable connections to ASA5510, 1841 and 2821.
I would be really really grateful if you could share your expertise and throw some help.
On the next post is the debug result of the ASA5510 and the config of the 2821.
Can you configure a L2L tunnel from a router using dynamic IP addresses (the 1841 in your example)? I was under the impression that site-to-site tunnels require devices with static IP addresses on both sides. Spokes with dynamic IP addresses can be connected using EasyVPN or DMVPN (between routers, not supported on ASA/PIX).
After days of trying, I managed to establish an L2L tunnel from the 1841 with ADSL modem infront to the ASA5510 but I must say that sometimes the tunnel disappears any time of the day. It could be something to do with my configuration either in 1841 or in ASA5510.