Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

No VPN

Hi there.

I have a new asa at my new location and am attempting a site to site with my office based asa that currently has other vpn connections.

I am unable to initiate the connection and stumped as to why. Any help would eb great. Attached is my current config.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: No VPN

You need provide the config from the other end and "debug crypto isa" and "debug crypto ipsec" to troubleshoot the issue.

Re: No VPN

5|Sep 02 2009|17:05:10|713904|||Group = 195.99.220.70, IP = 195.99.220.70, All IPSec SA proposals found unacceptable!

<<< IPSEC SA proposals did not much.

In my previous email, I told you PFS setting was not match. One side is pfs group1 and the other side is pfs group2. You need config them the same.

15 REPLIES

Re: No VPN

You need provide the config from the other end and "debug crypto isa" and "debug crypto ipsec" to troubleshoot the issue.

New Member

Re: No VPN

Hi.

Running the debug commands on my asa returned nothing. Are they the complete commands?

Attached is the requested configuration. 205.217.13.126 is the new asathat i'm attempting the connection with that holds the earlier configuration.

Thanks.

New Member

Re: No VPN

Also, i've run the following commands on both devices and both can ping eachother. No errors appear.

debug crypto isakmp 200

debug crypto ipsec 200

debug crypto engine 200

Re: No VPN

At central site, "set pfs" is configured, which will use group2 by default.

At remote site, "crypto map outside_map 1 set pfs group1" is configure, it will use group1.

Please check over your VPN config again. I did not go through all of them.

By the way, you can remote the following config, I don't think you need them.

vpnclient server 195.99.220.70

vpnclient mode client-mode

vpnclient vpngroup DefaultRAGroup password ********

After enable debug commands, make sure logging level is set to 7. You need initiate VPN related traffic to bring up the VPN tunnel as well.

New Member

Re: No VPN

Hi.

Central site is set to group2.

Remote site is set to group1.

I've removed the config you suggested.

Console debug is set to level 7. How do i initiate VPN related traffic to bring up the tunnels?

Re: No VPN

Here is the ACL you used in your vpn configuration

access-list outside_1_cryptomap extended permit ip object-group SavvisSloughPrivateNetworks object-group SMLOfficeNetworks

You need have traffic which can match this ACL.

New Member

Re: No VPN

I'm not even getting to the point of testing the internal IP connectivity. Currently my asa's are not establishing a connection between eachother. They can both ping eachothers public IP address's, but no VPN. I'm not sure where to start looking as my 'base' asa currently works with other devices i have in terms of site to site connectivty, but my new 'remote asa', nothing.

Any ideas from what you've seen in the previous configs?

Re: No VPN

If there is no traffic which need go to VPN tunnel, the VPN tunnel won't be up. You need initiate a traffic which match ACL I mentioned in my previous email. You can just use a ping between two hosts in that ACL.

When ASA get the packet and find it need go to tunnel, it will start to establish the VPN tunnel and you would see those debug output for isakmp phase 1 and phase 2 negociation.

New Member

Re: No VPN

Right, i think i understnad what you mean.

I've attempted ping's to both private subnets from each side and nothing.

ping 172.16.102.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.102.1, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

10.192.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.192.1.1, timeout is 2 seconds:

??Sep 02 17:14:08 [IKEv1]: IP = 90.16.237.27, Unsupported message length of 0

???

Success rate is 0 percent (0/5)

Re: No VPN

Did you ping from ASA to the other end's private IP?

If yes, does that ping packet match your ACL for VPN traffic? You did not get my point yet.

New Member

Re: No VPN

Hi there.

Pinging from a device on one end to another and i can see various entries within the logs. Attached is a snippet.

Thanks.

Re: No VPN

5|Sep 02 2009|17:05:10|713904|||Group = 195.99.220.70, IP = 195.99.220.70, All IPSec SA proposals found unacceptable!

<<< IPSEC SA proposals did not much.

In my previous email, I told you PFS setting was not match. One side is pfs group1 and the other side is pfs group2. You need config them the same.

New Member

Re: No VPN

Excellent, that worked great thanks. The VPN link is now up, but i am unable to ping any devices on the LAN in question. Again here are some snipets from my logs while i'm running a ping to 10.192.1.1 from a server in my office.

I'm pretty sure the networks i've allowed are correct for the exempt rules.

Re: No VPN

I can see ICMP connection was built for 172.16.102.101 and 10.192.1.1. Please check your routing between end to end in both directions.

New Member

Re: No VPN

It looked like i just needed to add some static routes on my remote end. All working fine now.

Thanks very much for your help.

894
Views
0
Helpful
15
Replies