Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA 5520 with 2 Internet Interfaces: VPN Creation Problem

Hi, I have a cisco ASA 5520 firewall that has 2 interfaces connected to internet lets say Internet-1 and Internet-2. The default route is via Internet-1

All the VPN's are build up on Internet-1 interface. Now i am trying to migrate one VPN on the Internet-2 interface and its not working.

I have enabled the ISAKMP on Internet-2. interface. static Route to route the VPN remote end IP to the Internet-2 Router. But when i trigger the interesting traffic, i can see the the traffic on my firewall but it is not trigering the VPN buildup on Internet-2 Interface. If i rebuild that vpn on Interface-2, i can see the vpn triggering (attributes exchange etc). Is there any specifiv thing i have to do on my firewall so that the VPN on Internet-2 interface will be triggered? Any trouble shooting steps? Please help me.


Re: Cisco ASA 5520 with 2 Internet Interfaces: VPN Creation Prob

I can think of a few things to double-check:

1. Make sure the crypto map is applied to your Internet-2 interface

2. Double check that the interesting traffic ACL on your end is an exact mirror of the ACL on the remote end.

3. Double check your debug for exactly when the VPN build up is stopping. If it's in phase 1, then check your ISAKMP settings and verifiy you are using matching settings. If it's in phase 2 (IPsec) then double check your crypto map settings.

Good luck!

Re: Cisco ASA 5520 with 2 Internet Interfaces: VPN Creation Prob


The following is required when you set an IPsec tunnel on a Firwall:

Phase1( ISAKMP - Key session):

1- ISAKMP -- Key

2- Authentication

3- Encryption

4- Hash algorithm

Phase2 (IPsec):

1- Key

2- Encryption

3- Hash Algorithm

You should make sure ur ISAKMP Sa peers are established and your IPsec session as well.

Your Crypto-map Ipsec should have a new sequence number configured or change the peer address to the new one.

Assigne the Crypto-map to the appropriate interface.

Verify with:

sh crypto isakmp peer (verify IKE peer)

sh crypto session (verify IPsec)

sh crypto session detail (Verify IPsec counting packets).



CreatePlease to create content