01-30-2010 07:58 PM - edited 03-11-2019 10:03 AM
Attempting to setup site-to-site IPsec VPN with two ASA 5505s with 8.0(5):
10.1.1.0/24 --> ASA 5505 (atl) --> Internet <-- ASA 5505 (bna) <-- 192.168.22.0/24
"There are no isakmp sas" and "There are no ipsec sas"
configs attached....
Any ideas?
02-03-2010 01:06 PM
tunnel config is ok, have you tried passing traffic through the tunnel to bring it up? enable the following command on both firewalls:
management-access inside
Then go ahead and do a ping inside 192.168.22.1 from the asa-atl firewall, do you get replies? does the tunnel seem to come up?
02-03-2010 05:37 PM
Thank you for the response.
I enabled "management-access inside" on both ASAs, and pinged from the atl ASA. No response. No SAs. It's weird.
02-03-2010 07:30 PM
Ok, turn on the following debug on both boxes and try again, debug crypto isakmp 50
Ping again with ping inside... and see what debug output do you get on both, paste it here please.
02-07-2010 06:22 PM
I think I forgot to specify the interface with my last ping, and when I specified ping though the inside interface, the tunnel came up.
So what was the key? What did "management-access inside" do?
Thanks for your help.
02-08-2010 07:08 AM
No Magic there, the only thing we did was to allow the ASA to send pings sourced from it's inside interface which will then match the interesting crypto acl and then bring the tunnel up. Management access command helps for administration fo ASA via an ipsec tunnel for https, telnet ssh and some other features.
As of your tunnel you always need to pass traffic to make the tunnel to be built.
03-05-2010 09:23 AM
This helped resolving my issue as well and didnt have to call the client to test. Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide