Hello Jon,

Jon C · ‎10-12-2016

Proboably an easy one, but I cannot seem to figure out what I am missing, but I am trying to establish a VPN connection between 2 ASA's. On the primary site we have a /26 block with starting IP of xxx.xxx.xxx.132

We setup the two ASA's L2L with the secondary's site pointing at peer address of xxx.xxx.xxx.168 (well within our /26 block at primary site) and we are unable to get past phase one failing at MM_WAIT_MSG2. When we configure the secondary site to use the peer address of xxx.xxx.xxx.132 though we can get the tunnel up and running. What do I need to do on the primary site to get the L2L VPN utilize the outbound address of xxx.xxx.xxx.168?

pjain2 · ‎10-12-2016

Hey Jon,

The tunnel should come up with xxx.xxx.xxx.168 ip as well. Please collect the below captures when you try to configure xxx.xxx.xxx.168 on the primary ASA and the secondary ASA:

capture cap interface <outside interface name> match ip host <primary asa ip> host <secondary asa ip>

"show cap cap" from both the ends after the tunnel is initiated.

this will show if there is any issues passing udp 500 between both the ends.

please try to collect the same cpature with the xxx.xxx.xxx.132 address as well.

Jon C · ‎10-13-2016

From the capture on the Primary side it looks as though the secondary is able to talk to the Primary on that IP, but I am not seeing any response back
This is what I am seeing on the Primary:

1: 11:47:24.185522 XXX.XXX.XXX.254.500 > XXX.XXX.XXX.168.500: udp 440
2: 11:47:32.174093 XXX.XXX.XXX.254.500 > XXX.XXX.XXX.168.500: udp 440
3: 11:47:40.174643 XXX.XXX.XXX.254.500 > XXX.XXX.XXX.168.500: udp 440
4: 11:47:48.180441 XXX.XXX.XXX.254.500 > XXX.XXX.XXX.168.500: udp 440
5: 11:47:59.177114 XXX.XXX.XXX.254.500 > XXX.XXX.XXX.168.500: udp 440

We are going to run same cap on .132 address and will post results.

Jon C · ‎10-13-2016

As soon as we move it back to .132 address, the capture looks as expected. Is this an issue possibly with ISP or is there a firewall or routing setting I am missing?

1: 12:17:29.217487 XXX.XXX.XXX.254 > XXX.XXX.XXX.132: ip-proto-50, length 100
2: 12:17:34.219989 XXX.XXX.XXX.254 > XXX.XXX.XXX.132: ip-proto-50, length 100
3: 12:17:35.379039 XXX.XXX.XXX.254.500 > XXX.XXX.XXX.132.500: udp 84
4: 12:17:35.379802 XXX.XXX.XXX.132.500 > XXX.XXX.XXX.254.500: udp 84
5: 12:17:39.210621 XXX.XXX.XXX.254 > XXX.XXX.XXX.132: ip-proto-50, length 100
6: 12:17:44.218250 XXX.XXX.XXX.254 > XXX.XXX.XXX.132: ip-proto-50, length 100
7: 12:17:45.377315 XXX.XXX.XXX.254.500 > XXX.XXX.XXX.132.500: udp 84
8: 12:17:45.378123 XXX.XXX.XXX.132.500 > XXX.XXX.XXX.254.500: udp 84
9: 12:17:49.209828 XXX.XXX.XXX.254 > XXX.XXX.XXX.132: ip-proto-50, length 100

pjain2 · ‎10-13-2016

this looks like a udp 500 block. please apply similar capture on the remote end to check if the udp 500 is being received there and being sent out.

you need to contact your ISP to check if they are blocking udp 500

Aundre Dudley · ‎10-15-2016

Hello Jon,

This is more than likely a routing issue. When you give the ASA the .168 address, are you able to get out to the internet? Do you have an internet router that you are using to connect to the ISP or are you terminating the handoff directly on the ASA?

L2L VPN Tunnel only working over first IP in block