Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2L VPN couldn't up

I tried to setup a L2L VPN tunnel , but failed . this tunnel is between a Cisco IOS router and ASA. I attached the debug info, Please check it  and let me know why the tunnel could not up.

5 REPLIES

Re: L2L VPN couldn't up

Hi,

According to the debugs, it seems that phase 1 is up.

You should see phase 1 active with the command:  sh cry isa sa (on both ends)

If this is the case (it seems like it), phase 2 is not establishing.

Check the status of phase 2 with the command: sh cry ips sa (on both ends)

If the problem is with phase 2, check the transform-set that you have assigned on each end for the crypto map and make sure the encryption and hash matches both sides (no PFS enabled/or enabled on both ends).

I think the debugs that you attach are not the entire negotiation, but either way the problem seems to be with phase 2.

Federico.

New Member

Re: L2L VPN couldn't up

I don't think the phase 1 was up since the isakmp status is MM_NO_STATE, If the tunnel was up , the status should be QM_IDLE. the problem is when i type the command show crypto iskamp sa , i found 3 entries for this tunnel , 2 are in MM_NO_STATE(deleted) , 1 is in QM_IDLE. Even i clear the isakmp sa , the result was no change.

Re: L2L VPN couldn't up

The fact that you see the phase 1 SA QM_IDLE means is up.

The problem is then with phase 2.

Can you post/check the settings?

Federico.

New Member

Re: L2L VPN couldn't up

I only have my side's configuration , and i attached it, Please check it.

Re: L2L VPN couldn't up

Since we have determined that the problem is on phase 2, then please check the following:

The phase 2 policy on the other end is setup for 3DES and SHA, also no PFS is used.

The interesting traffic matches the flow between the same hosts on the other side.

Federico.

346
Views
0
Helpful
5
Replies
CreatePlease to create content