Hello. First, I'm not an expert. Mostly use ASDM for config although I know the basics of CLI.
We have a site to site ikev1/ipsec tunnel from our HQ to a satellite office. HQ is a 5510 running 8.2(5) and Peer is an ASA running 9.1(7)16. Only one of three peered subnets is connecting, out of four. A second one is trying as of a few minutes ago, but no communication. IKEv1 completes, and one (now two) ipsec tunnel is negotiating...and that's about it. HQ Tx is talking, but Peer Rx/Tx is not responding. The second one has 0/0 both sides. I've included sh crypto isakmp and ipsec output as a file.
I understand this is a negotiation problem, I'm not familiar enough with troubleshooting techniques to find where the problem is. I've checked tunnel group settings, connection profiles, protected subnets, group policies and they all seem to match. I can supply the output if someone gives me the command on the CLI to produce that information, I'm sure the problem is buried somewhere in the details.
A couple of other items: We have an AVPN that we use for all user traffic. The site to site is only for backups, as they are a huge volume and would overwhelm our AVPN. So, in our core router, there are filtered routes. We lost the AVPN last week, and I have been trying to get our SLAs working. So that's one variable.
The other variable(s) is our NATting. I'm discovering more information in the sh run than ASDM provides. There are tons of old objects, rules, profiles, etc. no longer in use, that aren't in the GUI. Now I know why people use the CLI. I notice the same object is appearing in different NAT rules...and there are lots of duplicate objects, some by IP, some by different names. So my other question is can the same IP by different names be associated with conflicting rules (access-list, NAT, whatever).
Since we have 3 site to site tunnels, one of which is obsolete and I want to delete, but management says not until the contract is expired, that one keeps going up and down. I'm also not clear on how NATting should work for site-to-site. Should protected traffic be excluded? On the 5510 it would not allow me to make a NAT exclusion. I vaguely recall on 8.2 there are limitations about associating more than one crypto map to an interface. All of them use OUTSIDE.
Finally, I am trying to get our Anyconnect clients to talk to the satellite office. Currently anyone using Anyconnect to HQs VPN cannot reach any of the subnets in the satellite office. The satellite's VPN used to be local to them, but I wanted to have everyone use HQ's connection and allow them access to the satellite. Reason is, we're moving everything to a datacenter next year, and that's the way it's going to end up anyway.
I'm sure screwing around with all this the last week broke something. I just need a little direction in isolating where the problem(s) may reside. I'm seeing a lot of old clutter in the HQ ASA config that may be causing conflicts...the satellite ASAs are pretty clean as they're newer. Sorry for being longwinded and not giving much detail. I can provide whatever info is needed...except passwords obviously.
That was a bad joke.
TIA!
Do NAT objects have different behavior for the same IP? i.e. could they conflict?