Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

L2L VPN not initiating

Hi All,

We have a production site with ASA5520 which has L2L tunnel to another site which has been up/stable and working fine. Iam trying to bring up a new site having another ASA5520 with IOS 7.0(7) and tunnel is not initiating at all. The internet access is fine. please find the attached SiteA(new site) config and prod site confign existing config with additional configs i tried to bring up the Tunnel. Please suggest where the issue is.

Thank you in advance

MS

9 REPLIES
Green

Re: L2L VPN not initiating

The tunnel group and peer on PROD for the new vpn should be the ip address of SiteA ASA.

you have

crypto map Outside_map 40 set peer 9.12.12.8

tunnel-group 9.12.12.8 type ipsec-l2l

it should be....

crypto map Outside_map 40 set peer 8.14.88.82

tunnel-group 8.14.88.82 type ipsec-l2l

Re: L2L VPN not initiating

Apologies.. that was my typo while changing IPs to post in the forum.

PROD asa got the corect IPs for the newsite at both places. (set peer & tunnel-group)

Also, sysop (permit ip-sec on one end permit-ipsec) on other end is enabled already.

Please find the correct attachemnts (with IP matched)

Re: L2L VPN not initiating

have you tryed do

###

no crypto map Outside_map interface Outside

crypto map Outside_map interface Outside

###

?

Re: L2L VPN not initiating

sysopt connnection permit-vpn

it should be on both sides.

On PROD try do the following

###

no crypto map Outside_map interface Outside

crypto map Outside_map interface Outside

###

Re: L2L VPN not initiating

sysopt connnection permit-vpn : based on IOS. Not every IOS on ASA supports the same command.

Did the no/crypto with No luck.

Thank you

MS

Re: L2L VPN not initiating

could you show the debugs?

debug crypto isakmp 10

debug crypto ipsec 10

Re: L2L VPN not initiating

Thank you all for your suggestions. I found the issue. There is a seperate 'ISAKMP POLICY 10' existing on the PROD ASA which is taking over than 40. Tunnel came up with no issues, once that is corrected.

Thank you once again for the suggestions.

MS

Re: L2L VPN not initiating

congratulations :)

But strange, because you had identical isakmp policy.

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption 3des

isakmp policy 40 hash md5

isakmp policy 40 group 5

isakmp policy 40 lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 5

lifetime 86400

Re: L2L VPN not initiating

Thats one thing which I did not get. Even though I have identical policies, how come the other policy (even thou policy # is less) is taking over. So PROD asa:

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 5

lifetime 86400

Any clarification is appreciated..

Thank you

MS

151
Views
0
Helpful
9
Replies