Hey,

Just wanted to post an update with the solution. The "show route" command revealed that the gateway of last resort was incorrect. We added the correct gateway route and woila, we could ping. Thanks for your input jacobhoegh@me.com

-Glen

Hi Team,

I'm also did a site 2 site VPN in AWS using the ASAv. Was able to bring the tunnel up, but for some reason my "inside" host couldn't ping my the ASA public interface; not the actual public ip, but the statically configured IP on the interface. My security groups were fine, so I don't think that was the issue. Also was allowing any any on the inside and public interface, but still no responds. Also added inspect ICMP to the policy map. Has anyone else had this issue? It's so annoying, but I'm sure it's something I quickly passed over. I did forget to check the routes on the actual instance.

Thanks

You can not ping from one interface/vlan to any of the firewalls other interface ip's. Is this what you are trying to to?

Hi Glen.

We are running into the same issue.  The Cisco ASAv is identifying itself to other VPNs using its internal IP ( 10.10.0.0/16 network ). This is causing confusion for our customers. When we tried to manually set the IP on the outside interface to the elastic IP on the interface, no traffic would flow.  

Can you confirm that you changed the interface on the ASAv from DHCP to static and which routes you added to the device to get traffic to flow across that interface?

Thanks

@matt-ph  we run under the same situation. Our clients are seeing our Outside private IP address as remote peer.

Did you solve this issue? if so, could you provide the correct setup or configs to have this running correctly?

regards

Hello,

what are you trying to set up ? A site to site VPN in AWS using two ASAv's ? Post the configs you have so far...

Hi @Georg Pauwen 

Here is the situation, we had an office that were shut down several weeks ago, in this office we had a physical ASA 5510 managing some site-to-site tunnels with customers. 

we deployed a Cisco ASAv on AWS with 3 interfaces (mgmt-inside-outside), all of them with source/dest disabled and outside interface with aws EIP assigned. (each interface under an independant subnet and route table)

During the migration of one of the mentioned site-to-site tunnels, this particular client was receiving the following log when the activity was inititated to wake up the tunnel.

"Peer\'s ID payload 172.16.253.253 (type ipaddr) does not match a configured IKE gateway" (message from his side)

That address is the private ip address assigned to our "outside interface" and only when this client added this ip as remote peer, the tunnel came alive.

After this situation, I used a testing VPC in another region to deploy another ASA and I tried to duplicate the issue with not luck, because my second ASAv was receiving messages from the EIP assigned to the outside interface.

So, i'm a little lost here, maybe its something with this specific client/tunnel, maybe is a wrongly configuration from my side, or maybe is a complete wrong understanding from my side about use a Cisco ASav on AWS ( thinking at loud, maybe I need to create the tunnels from AWS directly instead of the ASA ).

--------------------------------------------------

Interfaces Config

--------------------------------------------------------------------------------
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 172.16.100.252 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 172.16.253.253 255.255.255.0
!
interface Management0/0
management-only
nameif management
security-level 100
ip address dhcp setroute

Mgmt and outside are under public subnets with a route table pointing to an Internet gw.

inside is in a private subnet with a Natgw.

--------------------------------------------------

Tunnel Config

--------------------------------------------------------------------------------

yy.yy.yy.yy = local subnet offered
xx.xx.xx.xx = remote subnet
interface: outside
Crypto map tag: outside_map, seq num: 2, local addr: 172.16.253.253

access-list outside_cryptomap_5 extended permit ip yy.yy.yy.yy 255.255.255.0 xx.xx.xx.xx 255.255.255.0
local ident (addr/mask/prot/port): (yy.yy.yy.yy/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (xx.xx.xx.xx/255.255.255.0/0/0)
current_peer: ZZ.ZZ.ZZ.ZZ --> customer public peerlocal crypto endpt.: 172.16.253.253/4500, remote crypto endpt.: ZZ.ZZ.ZZ.ZZ/4500 --> customer public peer

so sorry for this long long bible.

---------

Seems that the forum has some error and i've replied the same several times.

Seems that the forum has some error and i've replied the same several times.