I need help. I tried to create site-to-site VPN (with ASA 5510 and 5520)using VPN wizard,but I have a problem. VPN tunnel was not established. Also, there is no ping between end users (10.1.1.2 and 10.2.2.2). In Attachment are configurations and network topology.
At a first glance I don't see anything wrong with the config but...
Have you tried the "debug crypto isakmp" and "debug crypto ipsec" commands so you can check what the error is?
Are you able to ping from one outside interface of the ASA to the other?
I'm having a similar issue to this user and I have a similar design. In my lab, the two ASAs can ping each others outside IP but the tunnel won't come up. I'm using a managed L2 switch though, not a L3.
I've attached my config, if it helps. Like I said, pretty similar. We're trying to build a tunnel between a 5510 and a 5505 with a switch in the middle. They are running two different ASA versions, 7.0(7) and 7.2(2) respectively.
take this out:
tunnel-group VPNgroup1 type ipsec-l2l
tunnel-group VPNgroup1 ipsec-attributes
try this instead:
Let me know how it goes
Yeah, I noticed that l2l tunnels must have the ip of the peer as the tunnel-group when I was going through a couple of tech pubs. I tried it with no success. I'm working with the tac directly on this now. I'll post the solution when I find it.
The two ASA configurations that you attached, is that the configuration you were using when it didn't work? The reason I ask is that the configuration is missing the following items for the vpn to completely work:
1. nat 0 with an access-list of the networks that are being encrypted.
2. Another access-list defining the traffic to be encrypted.
3. a crypto map
One other thing I noticed
you have the static routes pointing to 172.21.11.4, which I am assuming is the switch. You should have the the static routes pointing to the next hop of the other ASA. Otherwise the switch does not know where the network is located. For example, on the ASA 5505 you should have the following static route:
route outside 192.168.10.0 255.255.255.0 172.21.11.197
Thank You Jason,
I'm going to attach some new configs. Those configs are a few days old and were very very wrong it appears.
The config I'm attaching has a plenty of changes on it. The two inside networks area 10.0.10.0(asa5510) and 10.0.11.0(asa5505). The outside interfaces are 172.21.11.197(asa5510) and 10.0.3.30(asa5505). This is all located in my lab. I'm also including a pretty drawing(yay!). I'm new to the whole security side of networking so it surely may be something dumb that I'm missing.
The two configs have been looked over once by the cisco tac, I haven't heard back from them yet today.
Owned it guys!
With the help of the cisco tac of course :). I feel pretty silly now but it was kind of an easy miss, I think anyway.
My config was right on, the problem was that I didn't initiate 'interesting traffic'
You have to ping the opposite inside interface using:
#ping inside x.x.x.x
That forces the ping to originate from the local ASAs inside address and generates 'interesting traffic' which then builds the tunnel.
Hope this helps someone else too.
Thanks for the interest in my problem guys.
I am able to ping from one outside interface of the ASA to the other. Here is output from "debug crypto isakmp":
debug crypto isakmp (on ASA1)
ping from 10.2.2.2 to 10.1.1.2:
ciscoasa1# Apr 20 23:32:09 [IKEv1]: Group = 192.168.2.2, IP = 192.168.2.2, Can't
find a valid tunnel group, aborting...!
Apr 20 23:32:09 [IKEv1]: Group = 192.168.2.2, IP = 192.168.2.2, Removing peer fr
om peer table failed, no match!
Apr 20 23:32:09 [IKEv1]: Group = 192.168.2.2, IP = 192.168.2.2, Error: Unable to
Apr 20 23:32:17 [IKEv1]: IP = 192.168.2.2, Header invalid, missing SA payload! (
next payload = 4)
Apr 20 23:32:25 [IKEv1]: IP = 192.168.2.2, Header invalid, missing SA payload! (
next payload = 4)
Apr 20 23:32:33 [IKEv1]: IP = 192.168.2.2, Header invalid, missing SA payload! (
next payload = 4)
ping from 10.1.1.2 to 10.2.2.2:
ciscoasa1# Apr 20 23:34:44 [IKEv1]: IP = 192.168.2.2, Information Exchange proce
Apr 20 23:34:52 [IKEv1]: IP = 192.168.2.2, Information Exchange processing faile
Apr 20 23:35:00 [IKEv1]: IP = 192.168.2.2, Information Exchange processing faile
Apr 20 23:35:08 [IKEv1]: IP = 192.168.2.2, Removing peer from peer table failed,
Apr 20 23:35:08 [IKEv1]: IP = 192.168.2.2, Error: Unable to remove PeerTblEntry
Any comment will be useful.