Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3000
Views
0
Helpful
18
Replies

Routing issue - site to site

Go to solution
Mohd Khairul Nizam
Level 4
Level 4

‎09-24-2011 09:56 PM - edited ‎03-04-2019 01:43 PM

Dear all,

Based on diagram attach, how do i route the Staff PC to access the Server.

Currently the Staff can only ping up to the outside interface of ASA site A( 60.a.a.54)

What is the command to route the Staff (192.168.5.33) to Server (192.168.0.150).

Labels:
Preview file
53 KB
0 Helpful
18 Replies 18

Go to solution
Mohd Khairul Nizam
Level 4
Level 4
In response to IcebergTitanic

‎09-29-2011 06:30 AM

i'll try tomorrow and update the result

0 Helpful

Go to solution
Mohd Khairul Nizam
Level 4
Level 4
In response to Mohd Khairul Nizam

‎09-29-2011 07:20 PM

Dear all,

I get this, can help me out guys.

kewpie-MLK-ASA# sh cry isakmp sa

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 218.111.42.233

    Type    : user            Role    : initiator

    Rekey   : no              State   : MM_WAIT_MSG2

kewpie-MLK-ASA# debug crypto isakmp 1

kewpie-MLK-ASA# Mar 13 22:52:43 [IKEv1]: IP = 218.111.42.233, Removing peer from peer table failed, no match!

Mar 13 22:52:43 [IKEv1]: IP = 218.111.42.233, Error: Unable to remove PeerTblEntry

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to Mohd Khairul Nizam

‎09-30-2011 04:04 AM

Hi,


There are 6 Main Mode messages. Each message has a specific purpose. The status state of MM_WAIT_MSG2 could mean:

1. you are using Main Mode
2. You are waiting
3. You are waiting on Message 2 of Main mode

Message 1 is used to send your phase 1 proposals. Message 2 is sent by the remote end accepting the SA.

So the question is "Why is my ASA waiting on MSG 2?"

This could be for several reasons.
1. Maybe your packet is being dropped somewhere
2. Maybe there is a problem in the path causing the drop (High BW Utilization, bad circuit etc...)
3. The remote device believes it does not have to renogotiate or the SA is stuck for some reason

What you could try is configuring dead peer detection. This would allow the ASA to detect if the peer is gone, tear down the tunnel and allow for the new SA to be established when the peer is available.

The command below should help:

isakmp keepalive xxx

Place this on both devices then clear the isakmp SAs on both ends.


Please rate the helpful posts.
Regards,
Naidu.

0 Helpful

Go to solution
Mohd Khairul Nizam
Level 4
Level 4
In response to Latchum Naidu

‎10-01-2011 07:38 AM

Hi, thanks all for the reply

I managed to get the VPN tunnel up via the ASA 5510.

Dear Lacthum Naidu,

U are correct, the 887 router block the traffic and i need to reconfigure the ACL on the 887 as below,

access-list 101 deny   esp host 60.51.196.54 host 218.111.42.234

access-list 101 deny   udp host 60.51.196.54 eq isakmp host 218.111.42.234 eq isakmp

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card