Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Replacing An Cisco 1711 with ASA5510

I need some help getting some VPN connections up and running on an asa5510. I will Post the old config for the Cisco-1711. I have tried coping all the settings over to the asa, but I must not be copying them right. Let me know what i am doing wrong. I will also posts the error's i am getting in debug mode as well.

All but one of the remote vpns is a 1711. The remaning vpn is a 1811. I can get the config form the remote sites if needed.

Thank You

Everyone's tags (3)
2 REPLIES
Cisco Employee

Re: Replacing An Cisco 1711 with ASA5510

the vpn configuration is a lot different, lets start by migrating one tunnel and then you can use it as an example and do the rest

http://www.cisco.com/en/US/products/ps5855/products_configuration_example09186a0080a9a7a3.shtml

this link has configurations for both router and asa, probabaly you can look at it and learn as to how to do it

Cisco Employee

Re: Replacing An Cisco 1711 with ASA5510

Hi Brandon,

From the config, I can see that you have setup 5 peers for the vpn. Could you please tell whether the vpn tunnel is not coming up with all the peers or only a few? In the later case please mention the peer ip addresses with which the IPSec tunnel is not coming up and attach the config for those peers.

I see a few mismatch in the router's and ASA's configs. The router is configured with tunnel interfaces and hence is using a GRE over IPSec tunnel with the remote peers. On the router, the crypto ACL's allow only gre traffic through the vpn tunnel, whereas on the ASA we are allowing all the traffic from one network to the remote network to go through the vpn tunnel.

From the debugs, I can see the following:

1>Oct 01 19:21:14 [IKEv1]: Group = 76.79.2.90, IP = 76.79.2.90, Session is being torn down. Reason: Phase 2 Mismatch

This suggests that there is a mismatch in phase 2 configuration, so it could either be the transform set or the crypto acl. If we check the config, we can see that the router is allowing only the gre traffic to go through the vpn tunnel but the ASA is allowing all traffic from 192.168.8.0/24 to 192.168.7.0/24

Could you please check if we have the corrosponding ACL in the crypto map at the peer site also.

2> We see the above debugs for peer 64.68.188.69:

Oct 01 19:22:59 [IKEv1]: Group = 64.68.188.69, IP = 64.68.188.69, Session is being torn down. Reason: Phase 2 Mismatch

So, it seems to be to the same issue with this peer as well.

I also see the following debugs:

Oct 01 19:23:17 [IKEv1]: Group = 24.111.19.58, IP = 24.111.19.58, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key.  Aborting

Could you also please check if the pre-shared-key for the peers are correct.

Regards

Apaar

713
Views
0
Helpful
2
Replies