Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-Site IPSec VPN Problems - Help?

Hello All,

I'm trtying to connect two sites together with an IPSec VPN tunnel between a couple of 5505s.  I used the Wizard tool from the ASDM GUI and I am not able to get the two sites talking.  What commands can I use to troubleshoot this problem from the "Command Line" menu option, or CLI?  I have become more of a GUI guy since I began administering these ASA's, but I'm not opposed to using CLI.  I just need a little bit of guidance on what I should be looking for while troubleshooting.

I have remote access to both ASA's from my desk and while reviewing the Syslog messages I see that Site A (56.X) is logging  this message: "IP=X.X.X.X, Error: Unable to remove PeerTblEntry"     and    "IP=X.X.X.X, Removing peer from peer table failed, no match!".  Where "X.X.X.X = Site B's outside IP address.  Site B (92.X) Syslog messages are not saying anything about Site A at all.

Please let me know what information is needed to better understand my problem.  I appreciate any help, Thanks!!

Joey

5 REPLIES

Re: Site-Site IPSec VPN Problems - Help?

Hi Joey,

Verify IP connectivity between both sites (perhaps a PING).

Also, use this commands:

debug cry isa 127

debug cry ips 127

They will show us if there's any problem with the VPN.

Federico.

New Member

Re: Site-Site IPSec VPN Problems - Help?

I can PING the outside IP across the WAN from both sides to each other.  I cannot PING the inside, or protected

networks like 192.168.92.X and 192.168.56.X.

I can't run the command "debug cry isa 127" from the ASDM GUI.  Any other suggestions?

Thanks

Re: Site-Site IPSec VPN Problems - Help?

Well... if you can't PING the protected networks most likely is because the VPN is not establishing correctly.

In order to find why I was suggesting the above commands (as you mentioned you can run them in CLI).

If have access only to ASDM maybe you can get a copy of the configuration for us to check it out.

Federico.

New Member

Re: Site-Site IPSec VPN Problems - Help?

Sorry about the late reply, but I have copied my running config from both sites into a notepad for your review.  Site A would

be the 192.168.56.X network with an outside IP of X.X.52.61.  Site B would be the 192.168.92.X network with an outside IP of X.X.53.105.  I thought it'd be better to be safe and remove the outside WAN information and the encrypted password fields.  : )

Let me know if you see anything that would help.

My research online is pointing to a NAT issue with one or both configurations.

Thank you,

Joey

Re: Site-Site IPSec VPN Problems - Help?

Hi joey,

The errors that you are seeing are generated due to Phase 1 faileur ( isakmp ). I think your ASA ( site B ) doesnot support aes-256 for encryption on phase 1. can you please create an policy on the site B with following encryption/hash etc and retest your connection ( you Nat appears fine to me BTW ).

crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400

If you are configuring using ASDM then :-

Configuration > Site-to-Site VPN > Advanced > IKE Policies

click add tab and enter above mentioned values.

Manish

410
Views
0
Helpful
5
Replies
CreatePlease login to create content