If I am understanding the original post correctly the configuration has been done on the ASA but has not yet been done on the peer. If that is the case then there would not be any output for show crypto isakmp sa. There will be output only when there has been negotiation.

HTH

Rick

Dear Richard,

Got your point still configuration is not done on other end asa fw but also on running config i am unable to find below config that i have done on cli.

When i done sh run i am unable to find below commands that i have already configure & did not get any error.

crypto isakmp policy 300
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

Hello,

what if you enter:

crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

Dear Ricahrd,

Configuration is done on other end also but still i am not getting output from sh crypto isakmp sa & also on other end firewall we are not getting any output from sh crypto isakmp sa.?

Can you please suggest any command to check the logs on this .??

In re-reading this discussion I notice this in the original post

access-list CRYPTO_NAT extended permit ip object-group PMMAF-SA object-group WH

these are the same objects used in the crypto acl and it looks like you are translating the traffic that you are sending through the vpn. That is pretty unusual and I wonder if you really meant to do this.

It might help us to understand the issue if you would post the config from your ASA. For troubleshooting what is going on I would suggest these steps:

- be sure that logging is enabled and working, especially logging monitor

- debug crypto isakmp 100

- attempt to bring up the vpn

- post any output that you receive

HTH

Rick

Dear  Richard ,

I have call the CRYPTO_NAT because of below nat & can you please let me know how to enable log, disbale the log so firewall will not goes in hang state.

nat (inside) 0 access-list CRYPTO_NAT

Dear Richard,

Also i am still unable to see below

crypto isakmp policy 300
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

& also please let me know is this some bug on my ASA please find the sh ver output below.

PMMZA-ASA5505#
PMMZA-ASA5505# SH VER
PMMZA-ASA5505# SH VERsion

Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"

PMMZA-ASA5505 up 119 days 22 hours

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

 0: Int: Internal-Data0/0    : address is f4cf.e213.a50f, irq 11
 1: Ext: Ethernet0/0         : address is f4cf.e213.a507, irq 255
 2: Ext: Ethernet0/1         : address is f4cf.e213.a508, irq 255
 3: Ext: Ethernet0/2         : address is f4cf.e213.a509, irq 255
 4: Ext: Ethernet0/3         : address is f4cf.e213.a50a, irq 255
 5: Ext: Ethernet0/4         : address is f4cf.e213.a50b, irq 255
 6: Ext: Ethernet0/5         : address is f4cf.e213.a50c, irq 255
 7: Ext: Ethernet0/6         : address is f4cf.e213.a50d, irq 255
 8: Ext: Ethernet0/7         : address is f4cf.e213.a50e, irq 255
 9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255
10: Int: Not used            : irq 255
11: Int: Not used            : irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : 8
VLANs                          : 3, DMZ Restricted
Inside Hosts                   : Unlimited
Failover                       : Disabled
VPN-DES                        : Enabled
VPN-3DES-AES                   : Enabled
SSL VPN Peers                  : 2
Total VPN Peers                : 10
Dual ISPs                      : Disabled
VLAN Trunk Ports               : 0
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials          : Disabled
Advanced Endpoint Assessment   : Disabled
UC Phone Proxy Sessions        : 2
Total UC Proxy Sessions        : 2
Botnet Traffic Filter          : Disabled

This platform has a Base license.

Serial Number: JMX1851Z0NF
Running Activation Key: 0xf43afe60 0xa8931b81 0xec811134 0xa2b4a4d0 0xcf263eb8
Configuration register is 0x1
Configuration last modified by enable_15 at 20:03:32.968 UTC Wed Nov 14 2018
PMMZA-ASA5505#
PMMZA-ASA5505#
PMMZA-ASA5505#
PMMZA-ASA5505#

PMMZA-ASA5505#
PMMZA-ASA5505# SH INVE
PMMZA-ASA5505# SH INVEntory
Name: "Chassis", DESCR: "ASA 5505 Adaptive Security Appliance"
PID: ASA5505           , VID: V13     ,

Also please let me know there is earlier one crypto isakmp policy 100 is configure so my question is this multiple tunnel can use single phase 1 like crypto isakmp policy 100

crypto isakmp policy 100
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400

Realizing that you are running 8.2(5) which uses the nat0 approach to address translation does explain the ACL that I questioned. I was thinking in terms of more recent versions which use a different approach to configuring nat. So that entry would be correct.

I am not sure why you are not seeing the isakmp policy 300. Yes it is possible for multiple vpn tunnels to use a single isakmp policy 100.

HTH

Rick

Dear Richard,

Can you please let me know how can we take complete backup of firewall other then sh run that include all licenses/certificate.

We can use tftp for this but can just help me with commands also i am at remote side so please suggest accordingly.

Thanks,

If you want to backup including certificates etc use the backup facility in ASDM. It gives you much more than the copy run command does.

HTH

Rick

Dear Richard,

ASDM is not work properly so i need to use CLI for this.

Please suggest on this

If ASDM is not working properly then you can do much of the backup processing from CLI. For many functions on ASA you can do the same function using ASDM or using CLI. But this is one area where ASDM and CLI do not match up. In ASDM there is one function which backs up multiple things. Using CLI it will take multiple commands, each command backing up one thing.

HTH

Rick