Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC tunnel b/w ASA 5520 using certs

Hi all

I have 2 ASA5520 in each rack running Active/Standby. IPSEC tunnel b/w the racks using the PSK works fine however when trying to use digital certificates, i cant get passed Ph1. My trustpoint seems to be configured correctly in each rack holding the root CA and my an identity cert for the relevant ASA imported against the trustpoint. Enrollment was done manually.

My debugs show that the tunnel is still trying to use PSK. i was runing 7.2(1) and have upgraded to 7.2(2) today with no luck....i've posted a partial config and debug outputs. any help would be appreciated.

Cisco Employee

Re: IPSEC tunnel b/w ASA 5520 using certs


Do you have isakmp identity as address or hostname. If you "Isakmp Identity Address" on your Pix Configuration, this could be one of the reason for Phase 1 of your VPN Tunnel not coming up.

You have to configure "Isakmp Identity Hostname" when using Certificates and rsa-sig.

In case, you have VPN L2L Tunnels or Clients using Pre-shared Keys, then you could configure "Isakmp Identity Auto" and then try to bring up the tunnel, and see if it works.

Please refer the URL for details on the command:



** Please rate all helpful posts **

New Member

Re: IPSEC tunnel b/w ASA 5520 using certs

Thanks for the tip Arul.

i do have client vpn using PSK also configured therefore my identity was set to auto. i did however managed to get it to work with an engineer from the TAC. see below

"crypto map Outside_map 1 set trustpoint ALMVPN" which maps it to the trustpoint.

tunnel-group ipsec-attributes

peer-id-validate cert <<

chain <<

trust-point ALMVPN

thanks mate.

CreatePlease login to create content