Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1409
Views
5
Helpful
6
Replies

ASA L2L VPN Tunnel Will Not Establish

TW80CJ5
Level 3
Level 3

‎09-02-2021 10:09 AM

Hello Everyone...

 

We are having a problem with one of our tunnels establishing a L2L connection. This tunnel has previously established with our current settings. We have rebuilt our crypto on both ends and verified the pre shared key. The tunnel will not form.

 

Please see the attached debugs of the following:

 

Debug crypto condition peer 192.168.10.145
Debug crypto ikev2 platform 255
Debug crypto ikev2 protocol 255
Debug crypto ipsec 255

 

Ideas / Suggestions ? 

Labels:
Preview file
32 KB
0 Helpful
6 Replies 6

Georg Pauwen
VIP
VIP

‎09-02-2021 11:12 AM

Hello,

 

what is connected on the other side ? Post the configurations of both the ASA as well as the other device...

0 Helpful

TW80CJ5
Level 3
Level 3
In response to Georg Pauwen

‎09-02-2021 11:15 AM

They are both Cisco ASA 5545X. Which part of the config are you interested in. It will take  some time to scrub it so anything specific I can get to you in the meantime....???

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to TW80CJ5

‎09-02-2021 12:08 PM

Hello,

 

basically just the parts below (this is a sample of an IKEv2 L2L VPN):

 

crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
!
object network OBJ-LAN-SITE_A
subnet 192.168.1.0 255.255.255.0
object network OBJ-LAN-SITE_B
subnet 192.168.2.0 255.255.255.0
!
access-list VPN-TRAFFIC-ACL extended permit ip object OBJ-LAN-SITE-A object OBJ-LAN-SITE-B
nat (inside,outside) source static OBJ-LAN-SITE-A OBJ-LAN-SITE-A destination static OBJ-LAN-SITE-B OBJ-LAN-SITE-B no-proxy-arp route-lookup
!LAN-
tunnel-group 100.100.100.1 type ipsec-l2l
tunnel-group 100.100.100.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev2 ipsec-proposal VPN-TS
protocol esp encryption aes-256
protocol esp integrity sha-1
!
crypto map CRYPTO-MAP 1 match address VPN-TRAFFIC-ACL
crypto map CRYPTO-MAP 1 set peer 100.100.100.1
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TS
crypto map CRYPTO-MAP interface outside

TW80CJ5
Level 3
Level 3
In response to Georg Pauwen

‎09-02-2021 12:54 PM

I will work on getting you this information and will follow up with. Currently working with the ISP as they completed a circuit swap "upgrade" yesterday...

Thanks for the help!
0 Helpful

TW80CJ5
Level 3
Level 3

‎09-03-2021 08:35 AM

Worked with ISP and they inadvertently changed our public AS number that we had in our configuration. Once they changed it back...the tunnel popped right back up. Thanks for the willingness to help!!!!!!

0 Helpful

Georg Pauwen
VIP
VIP
In response to TW80CJ5

‎09-03-2021 10:21 AM

Hello,

 

thanks for the update, good to kmow that everything is working now...

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card