Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

One of the peers cannot establish the tunnel with ASA 5510

Core issue

These could be among the reasons for this behavior:

  • An incorrect peer IP address defined in the crypto-map.

  • The same crypto access-list command might be bound with both the crypto-map entries on the Adaptive Security Appliance (ASA). As a result, the second crypto-map entry is never hit, since the traffic meant for the second peer is matching with the crypto access-list bound with the first crypto-map entry.

Resolution

To resolve this issue, verify that:

  • The peer IP is correct.

  • The access-list command bound with the separate crypto-map entries are different, so that the relevant access-list is hit, as shown:

access-list vpn1 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn2 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map IPsec_map 10 match address vpn1
crypto map IPsec_map 10 set peer 1.1.1.1
crypto map IPsec_map 10 set transform-set myset
crypto map IPsec_map 11 match address vpn2
crypto map IPsec_map 11 set peer 2.2.2.2
crypto map IPsec_map 11 set transform-set myset
crypto map IPsec_map interface outside

At this point, you should be able to pass traffic.

VPN Tunnel End Points

Any end point

VPN Protocols

IPSec

VPN Tunnel Initialization

IPSec session is not established

Version history
Revision #:
1 of 1
Last update:
‎06-17-2009 10:08 PM
Updated by:
 
Labels (1)