Hey Jouni!

Ok I replied other post not looking at mine to see you've said something. Sad enough for ASA3 I can't use ASDM link is to slow to initiate ASDM connection. I decided to take screen shot just for you to see the different mode this get into! I feel there's something flapping in the link I can't tell, I give all the state modes you can think of within 1 - 2mins interval.  To your point device configuration might add to it!

Yes I did use the packet tracer this time not ICMP but tcp cos I have a cisco 2960 switch behind ASA3.

packet-tracer input inside tcp 192.168.200.196 22 10.10.4.253 22

That's why I said I might need to contact TAC for see if they could help me resolve this!! before then I want to configure a remote vpn on ASA3 to get into the switch and check the configs making sure it has the ASA as it's default gateway! I have done this before troubleshooting at last what resolved the problem was just to configure the ip default-gateway for the switch to the ASA and my connection came through! So that's the last resort for me before I go ahead to do this with TAC.

Thanks all the say.....I still look fwd to your thoughts on the snap shot

Teddy

Hi Teddy,

I think I'm little bit "fresh" with your situation, but from your output, it seems that you have been established Phase 1 with ASA 3. What about Phase 2 ?

Hi Artem!

For me I think the issue is with routing! Why i think so? Ok here's what I did! I configured RA VPN on ASA3 see attached the following show command outputs + the topology of the network too! I would appreciate candid view.

If you notice, on the client side, packets encrypts and doesn't decrypt, on the ASA3 it Decrypts and doesn't Encrypts. So what do you make if such! It's fairly a straigh fwd topology as you can see there are no many hops in the network. ASA3 is the defaultgateway to the network.

Thanks

Teddy

Hello Teddy,

Can you make a capture on inside interface with interested traffic ? If you will see that traffic is hitting inside interface of ASA, it will proof that there is not problem with routing...

And from your output, seems that traffic is :

1. Not hitting interface

2. ASA doesn't encrypt.

Let's investigate routing firts, since we need to be shure that ASA receives this traffic.

Thank you.

Hi All!

I have figured out what the problem is! with l2l vpn! BANDWIDTH yes the monster bandwidth. Fact is I was configuring both VPN remotely, now the site where ASA3 is located had bandwidth problem.....in the day time I couldn't achieve this, so while it was night time at the site. I was able to establist the tunnel.

Funny right?! This is my very first time configuring VPN with bandwidth related issues!  So it was the bandwidth that was triggering the connections to come on and off! A day ago! Also the bandwidth problem has been taken care of by the customer too! I pointed that out to them. 

I have learnt a vital lesson from this! Thanks to everyone who contributed in one way or the other! I do appreciate you all, best forum ever.

Have a good one people.

Teddy

Hey Teddy,

Nice to hear that you was able to solve this problem. =)

And thank you raised that discussion here. I think It was helpfull for all of us.

Cheers,

Artem.

Jouni & Artem!

Thanks guys for your support! Glad it's all working fine now! We all learn from the forum so yes it's expected to give back!

Have a good one guys!

Teddy

Hi Teddy,

As with many problems related to ASAs, it might be sometime easier to go through the situation if we saw the device configurations. While we did see the VPN configurations there are still some things on the ASA configurations that can cause problems.

In your ASA3 site it would seem that there cant be that many things that could prevent the traffic from being forwarded to the ASA. Actually probably only one thing and that is incorrect default gateway. But I would imagine that this is not the case here since noone on the ASA3 site would be able to use the Internet then.

So is it possible to see the actual configurations. Maybe even just the ASA3 configurations for starters?

- Jouni

Ok after a day of the tunnel being up! Next i got a call they can't ping across the tunnel! data wasn't going via the tunnel at all! I wasn't getting the MM_ACTIVE as shown in my screen shoot above!  Tunnel kept going from MM_ACTIVE to MM_WAIT_MSG2 - 6 basically the tunnel was droping. I had to debug crypto isakmp to see the below msg.

Jul 20 12:39:52 [IKEv1]Group = 13.13.13.13, IP =13.13.13.13, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:10.10.4.0 dst:192.168.200.192

Jul 20 12:39:52 [IKEv1]Group =13.13.13.13, IP = 13.13.13.13, IKE Remote Peer configured for crypto map: BUAGROUP_MAP

Jul 20 12:39:52 [IKEv1 DEBUG]Group =13.13.13.13, IP = 13.13.13.13, processing IPSec SA payload

Jul 20 12:39:52 [IKEv1]Group = 13.13.13.13, IP = 13.13.13.13, All IPSec SA proposals found unacceptable!

I did troubleshooting till the last breath! I just didn't figure it out! After a while I had to take timeout to look at my 

crypto map [crypto map name] placement on ASA1!

Only to find out that the crypto maps I had configured for on ASA1 was the problem. I had 3 Crypto maps placed like this

crypto map outside_map 1 set pfs group1 (this is for the first l2l to ASA2 that's working perfectly.)

crypto map outside_map 7 ipsec-isakmp dynamic our_map ( for RA VPN on ASA1 also working perfectly too!)

crypto map outside_map 10 set pfs group1 (for l2l vpn to ASA3 that keep changing modes)

It never crossed my mind that crypto maps acts like acl's! how you place them determines how the ASA would negotiate your tunnels with it. To fix this I had to bring crypto map for ASA3 and place it above the dynamic crypto map for the RA vpn with cryptomap number 2. That sorted out my problem finally.

A hard lesson there to learn but it was worth the troubleshooting.

Cheers everyone

Teddy.