cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2566
Views
0
Helpful
14
Replies

Phase1 is not coming up , it doesnt show anything.

srikanth ath
Level 4
Level 4

Phase 1 is not comming up.

We have cisco ASA 5520 and peer end Watchgurad device.

I have verified the parameters of Phase1 it is same at both the ends and  Peer IP configured correctly.

But sh crypto isakmp sa detail | in <peer-ip> , doesnt show anything

Pinging to peer IP is responding.

Dont know how to troubleshoot  this further. I have arround 20 tunnels configured at my end and every L2L tunnel is working fine. This is in production and i cannot use debug command on my firewall.

Kindly, help me experts on how to troubleshoot this your inouts are very much valuable here.

Thank you

14 Replies 14

rfalconer.sffcu
Level 3
Level 3

Can you run debugs on the Watchguard? Without a debug from one end or the other, it will be hard to tell what's wrong.

watchguard is a remote peer device and i hav no control on that device .couldnt perform

Hi,

Perform a capture on the ASA  and analyse with wireshark on a machine.

also post the tunnel config as well as the NAT config and sh route output.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

How to perform the capture of L2L VPN's .. in Cisco ASA. can you please advise it will be helpfull to me.

Thanks,

Hi,

you must see if the isakmp phase 1 has got some problems so you  can do capture on the interface where crypto map is enabled with an ACL  permitting udp port 500(isakmp) and copy /pcap capture: tftp://x.x.x.x  where x.x.x.x is a machine with wireshark installed and a tftpserver.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

There are about 50 L2L tunnels up and running on the same device. If i have to capture how could i differentiate ok i may search out with the peer IP. I think thats too mess.

How can i prove this that the phase 1 Isakmp sa's are sent to the peer IP without capturing and debuggin. can i see anything live happening with the command or gui mode . As f i prove that,  then i could say peer is not responding or something happening at their end.

I have tried sh crypto isakmp sa

cleared the phase1 and phase 2 for the tunnel.

by clear crypto ipsec sa peer <>

    clear crypto isakmp sa

By the above command i dont see any output .

Kindly, help me . your inputs are much valuable to me.

Thanks

Have you done a traceroute to the remote network to see what hops it takes? Is it missing the crypto ACL on the ASA?

If the ASA is even attempting phase 1, you'll see something when you do the sh crypto command. If you initiate traffic to the remote side, then run the sh command immediately, you should see mm_wait or something like that. If there is no attempt, the crypto ACL might be incorrect or not applied.

You can watch the logs through ASDM and search for traffic on that particular peer address.

I have performed the traceroute and its reaching destination within 10 hops.

Packet-tracer shows it is passing the Nat0 and Crypto ACL at VPN it drops.

when I perform sh crypto isakmp sa detail | in , the output is blank nothing it shows up. Here is where i stuck up coulndt perform the debug command and nothing on my side and i dont have any previlege on other side peer device.

Kindly, Provide me the inputs as i have to see whethere the Phase1 parameters are actually sent to peer IP.

I meant a traceroute from your private network to the remote side to see if it passed the firewall without hitting the encryption.

Can you ask someone at the other side if they can check for the Phase 1 info, whoever the person is that manages the other firewall?

Also, did you check the ASDM logs and filter for just that peer?

Exhanged the phase1 and 2 poilcies, Crypto acl , pre shared key and everything matches and looks good.

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

I have tried to capture packets to peer IP, below is the output. I have tried to capture the same with acl for another peer IP tunnel and i could see some traffic.

From ASDM i dont know how to check this, can you help me if you can.

capture sn88 access-list sn8 interface ouTSIDE

access-list sn8 line 1 extended permit tcp host 174.46.X.X any (hitcnt=0) 0x295dbc33

MGRDFW1# sh capture sn88

0 packet captured

0 packet shown

MGRDFW1# sh crypto isakmp sa | beg 174.46.X.X

MGRDFW1#

MGRDFW1#

Packet-tracer on the firewall, traceroute is moving out of the firewall encryption and going to internet. Nat 0 is happening too.

Dont know how could i troubleshoot this further ..

thank you experts. waiting for your valuable inputs.


Packet-tracer on the firewall, traceroute is moving out of the firewall encryption and going to internet. Nat 0 is happening too.


Is this traceroute from a private host to a private host on the other side of the tunnel?

On ASDM, go to Monitoring-Logging-Real Time Log Viewer and enter the remote peer in the filter and then do your testing.

Have you created a vpn filter for the debug log on the asa, it must report something when trying to establish the tunnel.

Can you ping the peer and vice versa.

Jon

Sent from Cisco Technical Support iPhone App

Please rate as helpful, if that would be the case. Thanx

Hello All thank you for all the helpful inputs to me.

This has got solved. as I have added a new Crytp Map entry rather than existing Crypto map on the firewall.

I have used crypto map-outside rather than crypto map 11 . Once i changed the crypto map . the tunnel is up and i see the  traffic flowing through it.

once again thank you.

Thanks.

srikanth ath
Level 4
Level 4

Hello All thank you for all the helpful inputs to me.

This has got solved. as I have added a new Crytp Map entry rather than existing Crypto map on the firewall.

I have used crypto map-outside rather than crypto map 11 . Once i changed the crypto map . the tunnel is up and i see the traffic flowing through it.

once again thank you.

Thanks.