01-07-2014 01:20 PM - edited 03-11-2019 08:26 PM
Hi Everyone,
I have new setup where 2 different networks
Network 1
Switch and ASA 5505
Network 2
Switch and ASA 5505
Network 1 and 2 are at different locations in same site.
At both of the above networks PC connected to switch gets IP from ASA 5505.
In order to go to internet both of the above networks have L2L tunnel from their ASA 5505 to ASA 5520.
ASA 5505 has default gateway configured as ASA 5520
When i do sh crypto isakmp sa on 5505 it shows peer tunnel IP but state is MM_ACTIVE.
I need to confirm if the tunnel is building up between 5505 and 5520?
From ASA 5505 i can ping the ASA 5520.
Solved! Go to Solution.
01-07-2014 01:25 PM
Hi,
The output you are looking at is of Phase 1 which states that Main Mode is used and the Phase 1 seems to be fine.
I would try the following commands to determine better the L2L VPN state/situation
show crypto ipsec sa peer
show vpn-sessiondb detail l2l
You can naturally also use ASDM to check the Monitoring section and from there the VPN section. You might have to use a drop down menu in the actual VPN page to select Site to Site VPN / L2L VPN show you can list the L2L VPN connections possibly active on the ASA
Hope this helps
- Jouni
01-07-2014 02:10 PM
Hi Mahesh,
Both output wouldnt show anything if there was any active L2L VPN connections so the VPN listed by the second command is up.
The first output shows the formed IPsec SAs for the L2L VPN connection. I mean the local/remote network pairs. It also lists the packet counters which in your situation seem to indicate traffic is flowing in both directions.
The second output also lists samekind of information but also some additional information that the other command doesnt list.
So seems to me that your VPN is up and working. If there is some problems they are probably related to some other configurations on the ASAs.
Are you using Easy VPN or something because it says that the remote address is 0.0.0.0/0 ? Or does your Crypto ACL have destination as "any"? In other words, have you configure the other ASA to tunnel all traffic through the L2L VPN?
- Jouni
01-07-2014 02:26 PM
Hi,
You can use the command
show run crypto map
To list the configurations
Next you will have to find the line
crypto map
Then you will have to check that ACLs contents either with
show access-list
show run access-list
- Jouni
01-07-2014 01:25 PM
Hi,
The output you are looking at is of Phase 1 which states that Main Mode is used and the Phase 1 seems to be fine.
I would try the following commands to determine better the L2L VPN state/situation
show crypto ipsec sa peer
show vpn-sessiondb detail l2l
You can naturally also use ASDM to check the Monitoring section and from there the VPN section. You might have to use a drop down menu in the actual VPN page to select Site to Site VPN / L2L VPN show you can list the L2L VPN connections possibly active on the ASA
Hope this helps
- Jouni
01-07-2014 01:51 PM
Hi Jouni,
I will use the above commands and will update you.
Regards
Mahesh
01-07-2014 02:03 PM
Hi Jouni,
Here is info below
sh crypto ipsec sa peer 10.31.2.30
peer address: 10.31.2.30
Crypto map tag: COMMC_Traffic_Crypto, seq num: 1, local addr: 10.31.2.19
access-list XC_Traffic extended permit ip 192.168.2.128 255.255.255.192
any
local ident (addr/mask/prot/port): (192.168.2.128/255.255.255.192/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 10.31.2.30
#pkts encaps: 1066, #pkts encrypt: 1066, #pkts digest: 1066
#pkts decaps: 3611, #pkts decrypt: 3611, #pkts verify: 3611
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1066, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.31.2.19/0, remote crypto endpt.: 10.31.2.30/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 06DFBB67
current inbound spi : 09900545
inbound esp sas:
spi: 0x09900545 (160433477)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 12288, crypto-map: COMMC_Traffic_Crypto
sa timing: remaining key lifetime (kB/sec): (3914702/24743)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x06DFBB67 (115325799)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 12288, crypto-map: COMMC_Traffic_Crypto
sa timing: remaining key lifetime (kB/sec): (3914930/24743)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
sh vpn-sessiondb detail l2l
Session Type: LAN-to-LAN Detailed
Connection : 10.31.2.30
Index : 3 IP Addr : 10.31.2.30
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 71301 Bytes Rx : 305820
Login Time : 11:59:24 UTC Tue Jan 7 2014
Duration : 1h:07m:54s
IKEv1 Tunnels: 1
IPsec Tunnels: 1
IKEv1:
Tunnel ID : 3.1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 82325 Seconds
D/H Group : 2
Filter Name :
IPv6 Filter :
IPsec:
Tunnel ID : 3.2
Local Addr : 192.168.2.128/255.255.255.192/0/0
Remote Addr : 0.0.0.0/0.0.0.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 24725 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607701 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 71301 Bytes Rx : 306744
Pkts Tx : 1066 Pkts Rx : 3654
NAC:
Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds
SQ Int (T) : 0 Seconds EoU Age(T) : 4086 Seconds
Hold Left (T): 0 Seconds Posture Token:
What should i look for to confirm L2L state?
Regards
MAhesh
01-07-2014 02:10 PM
Hi Mahesh,
Both output wouldnt show anything if there was any active L2L VPN connections so the VPN listed by the second command is up.
The first output shows the formed IPsec SAs for the L2L VPN connection. I mean the local/remote network pairs. It also lists the packet counters which in your situation seem to indicate traffic is flowing in both directions.
The second output also lists samekind of information but also some additional information that the other command doesnt list.
So seems to me that your VPN is up and working. If there is some problems they are probably related to some other configurations on the ASAs.
Are you using Easy VPN or something because it says that the remote address is 0.0.0.0/0 ? Or does your Crypto ACL have destination as "any"? In other words, have you configure the other ASA to tunnel all traffic through the L2L VPN?
- Jouni
01-07-2014 02:22 PM
Hi Jouni,
Config i gave us was from 5505.
Other end is 5520.
we are not using easy vpn.
When you say
Or does your Crypto ACL have destination as "any"? In other words, have you configure the other ASA to tunnel all traffic through the L2L VPN?
How can i check this on the 5520 ASA ? any command?
Regards
MAhesh
01-07-2014 02:26 PM
Hi,
You can use the command
show run crypto map
To list the configurations
Next you will have to find the line
crypto map
Then you will have to check that ACLs contents either with
show access-list
show run access-list
- Jouni
01-07-2014 02:49 PM
Hi Jouni,
Will check and update you.
Regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide