I'm trtying to connect two sites together with an IPSec VPN tunnel between a couple of 5505s. I used the Wizard tool from the ASDM GUI and I am not able to get the two sites talking. What commands can I use to troubleshoot this problem from the "Command Line" menu option, or CLI? I have become more of a GUI guy since I began administering these ASA's, but I'm not opposed to using CLI. I just need a little bit of guidance on what I should be looking for while troubleshooting.
I have remote access to both ASA's from my desk and while reviewing the Syslog messages I see that Site A (56.X) is logging this message: "IP=X.X.X.X, Error: Unable to remove PeerTblEntry" and "IP=X.X.X.X, Removing peer from peer table failed, no match!". Where "X.X.X.X = Site B's outside IP address. Site B (92.X) Syslog messages are not saying anything about Site A at all.
Please let me know what information is needed to better understand my problem. I appreciate any help, Thanks!!
Sorry about the late reply, but I have copied my running config from both sites into a notepad for your review. Site A would
be the 192.168.56.X network with an outside IP of X.X.52.61. Site B would be the 192.168.92.X network with an outside IP of X.X.53.105. I thought it'd be better to be safe and remove the outside WAN information and the encrypted password fields. : )
Let me know if you see anything that would help.
My research online is pointing to a NAT issue with one or both configurations.
The errors that you are seeing are generated due to Phase 1 faileur ( isakmp ). I think your ASA ( site B ) doesnot support aes-256 for encryption on phase 1. can you please create an policy on the site B with following encryption/hash etc and retest your connection ( you Nat appears fine to me BTW ).
crypto isakmp policy 10 authentication pre-share encryption des hash md5 group 2 lifetime 86400
If you are configuring using ASDM then :-
Configuration > Site-to-Site VPN > Advanced > IKE Policies
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :