Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISAKMP and IPSEc on ASA5510 ver 7.2(1)

Please help.

When I do a 'show crypto isakmp sa' on asa5510 ver 7.2(1) for a L2L ipsec tunnel, this is the message it gives me. Pls explain what it means.

I have also attached the debug messages, please expalin what that means.

9 REPLIES
Cisco Employee

Re: ISAKMP and IPSEc on ASA5510 ver 7.2(1)

Hi

The sh cry isa sa output with MM_ACTIVE indicates that the main mode is in active state i.e phase 1 is up.

The debugs are indicating that it failing at Quick Mode (QM) or phase2. You would need to get the isa as well as ipsec debugs on both ends to find why it is failing at phase 2.

Thanks

New Member

Re: ISAKMP and IPSEc on ASA5510 ver 7.2(1)

Hi

some more results of debug for asa 5510 ipsec lan-to-lan vpn tunnel are attached. Pls explain what this mean

Cisco Employee

Re: ISAKMP and IPSEc on ASA5510 ver 7.2(1)

Hi

Looks like the debug was taken from the buffer and hence incomplete and not really helpful. Is it possible to capture the debugs on the console or monitor session and log the entire debugs , right from the time, the tunnel is starting to come up.

Thanks

New Member

Re: ISAKMP and IPSEc on ASA5510 ver 7.2(1)

if I accessing the ASA from remote telnet rather than directly connected to the Console how can I capture debugs from a session monitor? How do I do a monitor session?

New Member

Re: ISAKMP and IPSEc on ASA5510 ver 7.2(1)

please explain the debug information I attached. This from the asa5510 ver 7.2(1)

I need help urgently, pls.

New Member

Re: ISAKMP and IPSEc on ASA5510 ver 7.2(1)

This is a long shoot since the debugs are incomplete. Check whether both side are setup to do PFS (Perfect forward secrecy). You will find it under the crypto map statements on the ASA.

New Member

Re: ISAKMP and IPSEc on ASA5510 ver 7.2(1)

Both Firewalls are set to do pfs group 2.

What next?

New Member

Re: ISAKMP and IPSEc on ASA5510 ver 7.2(1)

Get the complete debugs, since we don't have the configurations set the level of debugs to 255.

New Member

Re: ISAKMP and IPSEc on ASA5510 ver 7.2(1)

Hi

I set the level of debugs on the asa to 255 for cryto ipsakmp & crypto ipsec.

141
Views
0
Helpful
9
Replies