Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1026
Views
0
Helpful
6
Replies

CISCA ASA VPN L2L UNSTABLE

Pedro Javier Herrera Diaz
Level 1
Level 1

‎10-30-2012 03:51 PM - edited ‎03-11-2019 05:16 PM

Hi, I have a problem with a VPN L2L, initially I was using it to comunicate with  a remote client but last week a migrate the traffic to a dedicated channel, i just modified the route so the traffic right now is out for the dedicated channel but I let the the L2L VPN active. However I ckeked the VPN state and IT´S NOT ACTIVE, it´s keep jumping between states, one second is in state MM_WAIT_MSG3 and second later MM_WAIT_MSG3 and later is in Active.

Thanks for your answers.

Labels:
0 Helpful
6 Replies 6

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-30-2012 03:55 PM

Hello Javier,

As I understand you do not need to use the L2L tunnel any more right?

Why don't you eliminate the setup?

Hope I have understood the question!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Pedro Javier Herrera Diaz
Level 1
Level 1
In response to Julio Carvajal

‎10-30-2012 07:05 PM

Hello jcarvaja, like yolu said I don´t need the L2l but I would like to keep it active like a backup channel, the problem is the behavior of the VPN, why the behavior of the VPN?

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to Pedro Javier Herrera Diaz

‎10-30-2012 09:08 PM

Hello Pedro,

Can you share the configuration of your ASA?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Pedro Javier Herrera Diaz

‎10-31-2012 12:31 AM

Hi,

My guess would be that you are seeing the Phase1 negotiations go through as usually everyone has indentical Phase1 policys on their VPN equipment. So the Phase2 negotiations don't go through and I'd presume the remote end has deleted the actual L2L VPN configurations since you have dedicated connectection between you.

The remote end might have a network setup that doesnt permit having the L2L VPN configuration. In other words it might be that if the remote end had the L2L VPN configuration (including the Phase2 configurations), connections between your 2 LANs just wouldnt work as the routing would be asymmetrical (if thats even the word )

This could happen for example in a situation where the remote end has an ASA firewall and the new dedicated connection comes to the ASA on another interface. In other words the remote ASA can't have the L2L VPN configuration with your LAN network defined in both the L2L VPN and as a route towards the dedicated link.

- Jouni

0 Helpful

Pedro Javier Herrera Diaz
Level 1
Level 1
In response to Jouni Forss

‎10-31-2012 08:36 PM

Hi Jouni, thaks for your answer but how I confirmed that? Which command can I use to confirm the intends of conection or how can I see the error of conection?

0 Helpful

Pedro Javier Herrera Diaz
Level 1
Level 1

‎11-14-2012 01:30 PM

Hi everyone I solved my problem, the L2L VPN was fine the problem is that not traffic it was been route for the VPN, I route part of the traffic for the VPN and it´s work fine. The state remain in active.

Thanks all for your answer.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card