Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
586
Views
1
Helpful
2
Replies

Cisco ASA working as VPN Hub is not establishing connections

evillar01
Level 1
Level 1

‎03-19-2024 06:58 AM - edited ‎03-20-2024 04:12 AM

Good morning, Cisco community. We're having an issue with a Cisco ASA 5525 that we had working as a VPN hub. The configuration of the VPN is an IPsec tunnel with ikev1, and the clients are Cisco ASA 5505 devices with custom certificates issued with a technical PKI (using SHA 256).

About that last point, we recently performed a certificate migration from SHA-128 to the aforementioned SHA-256 certificates. In fact, we have a main production environment where we performed the same migration and the VPNs can be established without any issues. But in this environment, the tunnels just don't work and we are unsure about what else can we try.

When we try a debug on the ASA VPN hub (debug crypto ikev1 255) we can see the client payloads and their certificates, but we constantly get a message that the username or password are incorrect. If we check the client ASA with the command show crypto isakmp sa, it's always stuck in MM_WAIT_MSG2.

The last things we tried is making sure that all the trustpoints and CRLs are correctly configured, just like the main environment..

Any ideas would be very helpful. Thank you in advance.

Labels:
2 Replies 2

MHM Cisco World
VIP
VIP

‎03-19-2024 07:32 AM

can I see the hub and spoke config 

MHM

0 Helpful

evillar01
Level 1
Level 1
In response to MHM Cisco World

‎03-20-2024 04:14 AM

Sure, here they are. Had to modify the IP addresses, domains and passwords, but the rest is intact. Thank you.

Preview file
46 KB
Preview file
2 KB
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card