Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

site to site not starting up from one end

Hi all,

I've been running a site to site  between to ASA 5505 (both on 8.4.2)  succesfully for some time. The site to site would shut down after some hours of inactivity but a request (ping) from one of the two ends would fire it up again. But since (atleast i noticed it then) i setup a 2nd site to site from SITE B to SITE C ive noticed that i could ony start up the VPN from SITE A and not from SITE B. so if i did a ping to an ipaddress on the SITE A side from SITE B i would get a timeout. In the log at SITE B it does say requesting IPsec tunnel. but nothing in the log at SITE A.

WHen i do a PING from site A to site B everything works like a charm.

I;ve deleted the VPN to site C from the config. that did not help. also a reload did not help. I also reconfigured the tunnel on site B that also did not help.

The VPN config of both sites are below... I am kinda stuck here so any help is appreciated.

Thanks.

SITE A


snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 82.197.XXX.XXX
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
fqdn vpn.dobsons.nl
subject-name CN=vpn.XXXXXX.nl,OU=XXXXX,O=XXXXX,C=NL,L=XXXXXX
keypair dobsonvpn
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 03ad4e
    308204cb 308203b3 a0030201 02020303 ad4e300d 06092a86 4886f70d 01010505
    00303c31 0b300906 03550406 13025553 31173015 06035504 0a130e47 656f5472
    7573742c 20496e63 2e311430 12060355 0403130b 52617069 6453534c 20434130
    1e170d31 31313032 31313535 3234385a 170d3132 31303233 31333339 35325a30
    81e33129 30270603 55040513 20483544 73435873 4f394e58 6d303646 305a5247
    4d376b43 7175646f 44654c78 4a310b30 09060355 04061302 4e4c3117 30150603
    55040a13 0e76706e 2e646f62 736f6e73 2e6e6c31 13301106 0355040b 130a4754
    30343034 30343937 3131302f 06035504 0b132853 65652077 77772e72 61706964
    73736c2e 636f6d2f 7265736f 75726365 732f6370 73202863 29313131 2f302d06
    0355040b 1326446f 6d61696e 20436f6e 74726f6c 2056616c 69646174 6564202d
    20526170 69645353 4c285229 31173015 06035504 03130e76 706e2e64 6f62736f
    6e732e6e 6c308201 22300d06 092a8648 86f70d01 01010500 0382010f 00308201
    0a028201 0100b4aa 480098c5 109caa97 f6a21d21 de898db9 3dfa787b 7480e896
    de5ee1de c349df4a 930387a5 3181e9e4 de81d022 fc36885d 36eddcfc 4757bba9
    1e5346a9 8afc153f 5695897b b6bad1ca 1200129f c4fb7db8 c99ef912 1894ea09
    704f0e34 8799af5e d14bc5eb 328e9e7b 12febc03 8a21fa75 954d2d05 5beef156
    e3d4dfdb b0def4b4 d3046d56 897ab1d0 1c5db6f2 941ee19f acb3621b 0569a906
    80531ccd ca627a83 25f46b03 44dfb07d 305035da 62e73958 addc6bb2 d8971265
    73a6edd7 97937690 6e130fdc 88c39935 4e1ad174 ee6d4bb6 efa49172 fd7fd65f
    7961df8a d8d3e4a9 7b93c892 346d94f3 e66b5c3d c87e9f05 d434c5d6 695ad6fc
    d16d09e0 63750203 010001a3 82012c30 82012830 1f060355 1d230418 30168014
    6b693d6a 18424add 8f026539 fd352486 78911630 300e0603 551d0f01 01ff0404
    030205a0 301d0603 551d2504 16301406 082b0601 05050703 0106082b 06010505
    07030230 19060355 1d110412 3010820e 76706e2e 646f6273 6f6e732e 6e6c3043
    0603551d 1f043c30 3a3038a0 36a03486 32687474 703a2f2f 72617069 6473736c
    2d63726c 2e67656f 74727573 742e636f 6d2f6372 6c732f72 61706964 73736c2e
    63726c30 1d060355 1d0e0416 041419ea 1fbdaeab 215c36c3 4fc3a95f ccab4218
    10ec300c 0603551d 130101ff 04023000 30490608 2b060105 05070101 043d303b
    30390608 2b060105 05073002 862d6874 74703a2f 2f726170 69647373 6c2d6169
    612e6765 6f747275 73742e63 6f6d2f72 61706964 73736c2e 63727430 0d06092a
    864886f7 0d010105 05000382 01010087 6c365565 1a1cf709 11f56fd7 66f213d7
    d3860f5f 00b1fe89 7f663496 99127661 5b7468f8 0bfcdeee 9e841e15 02fbdbb3
    ef0f95ab d31f4a04 010a4a31 cccc743b 4bde7d56 cf49784d 59cb1079 6ee93c2d
    326b9ab2 7dc7f295 d12a7bf1 33f61eec 6b78c6c8 3ecde725 ca70d98b 0784fa96
    6d1c1cb9 1ce9bcc8 7628141c d5267ab8 1fc531a9 50ad7e4e 5be21a8c cc1b81b3
    e90233c3 b03807b9 f01aef03 eba3c028 71706680 ac05b504 986874bf 21b7a0f9
    44f8d30a 3bfdd50a 733aac57 497785c5 6656fa2f 4aeac525 ab18db8a 48355c08
    d3a23c44 23398ffa a0f7741f becc9161 a3f3bc0d 22665a53 4bcb6009 a997736d
    7cc9a2a1 09a82a95 46471f4c 762144
  quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.114.50.9 255.255.255.255 inside
telnet timeout 5
ssh 10.114.50.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

dhcp-client client-id interface outside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 193.67.79.202 source outside prefer
ssl trust-point ASDM_TrustPoint0 outside
webvpn
port 444
enable outside
anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.3055-k9.pkg 2
anyconnect image disk0:/anyconnect-linux-2.5.3055-k9.pkg 3
anyconnect profiles Dobson-VPN_client_profile disk0:/Dobson-VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_Dobson-VPN internal
group-policy GroupPolicy_Dobson-VPN attributes
wins-server none
dns-server value 10.114.50.1
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSL_Split
default-domain value dobson.local
webvpn
  anyconnect mtu 1200
  anyconnect profiles value Dobson-VPN_client_profile type user
group-policy GroupPolicy_82.197.XXX.XXX internal
group-policy GroupPolicy_82.197.XXX.XXX attributes
vpn-tunnel-protocol ikev1 ikev2
username admin password dgOFXV67XtnbGqeA encrypted privilege 15
tunnel-group 82.197.XXX.XXX type ipsec-l2l
tunnel-group 82.197.XXX.XXX general-attributes
default-group-policy GroupPolicy_82.197.XXX.xxx
tunnel-group 82.197.XXX.XXX ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group Dobson-VPN type remote-access
tunnel-group Dobson-VPN general-attributes
address-pool DobsonVPNpool
authentication-server-group Dobson
default-group-policy GroupPolicy_Dobson-VPN
tunnel-group Dobson-VPN webvpn-attributes
group-alias Dobson-VPN enable

SITE B


nat (inside,outside) source static Houtwal-Subnet Houtwal-Subnet destination static Pluuthaven-Subnet Pluuthaven-Subnet no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
object network Torrents
nat (inside,outside) static interface service tcp 48199 48199
!
nat (inside,outside) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.114.60.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 92.254.XXX.XXX
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 10.114.60.0 255.255.255.0 inside
ssh timeout 5
console timeout 0

dhcpd auto_config outside
!
dhcpd address 10.114.60.50-10.114.60.81 inside
dhcpd dns 10.114.50.1 82.197.196.182 interface inside
dhcpd auto_config outside interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 193.67.79.202 source outside prefer
webvpn
group-policy GroupPolicy_92.254.XXX.XXX internal
group-policy GroupPolicy_92.254.XXX.XXX attributes
vpn-tunnel-protocol ikev1 ikev2
username admin password MI60BeCZCBd.zzjR encrypted privilege 15
tunnel-group 92.254.XXX.XXX type ipsec-l2l
tunnel-group 92.254.XXX.XXX general-attributes
default-group-policy GroupPolicy_92.254.XXX.XXX
tunnel-group 92.254.XXX.XXX ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****


!

407
Views
0
Helpful
0
Replies
CreatePlease to create content