We have an L2L tunnel configured between two Cisco ASA 5585Xs, and could use some help interpreting the output of "show crypto isakmp."
The tunnel had some problems last week -- "hanging" and not passing traffic. A coworker captured "show crypto isakmp" while the tunnel was trying to come back up after a clear.
What could cause the peer to appear more than once? And, appears as both initiator and responder?
13 IKE Peer: X.X.X.X
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3
14 IKE Peer: X.X.X.X
Type : user Role : responder
Rekey : no State : MM_WAIT_MSG3
15 IKE Peer: X.X.X.X
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Then when it went MM_ACTIVE a few minutes later, it decided that one of the "responder" SAs won.
Also, why does it start out as Type "user" ? Ultimately it settles on "L2L":
8 IKE Peer: X.X.X.X
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
This final output appears healthy, but are the captured states normal / expected? It got stuck there in MM_WAIT states for a while.
Lacking the explicit keyword "initiate-only" in both side's configs, who is initiator and who is responder? The configs are identical on both sides except for IP addresses.
Unfortunately, it appears the tunnels were in state MM_ACTIVE when they stopped passing traffic, so that's another mystery (we didn't capture encaps/decaps stats on the phase 2 SAs).
Configs (identical both sides):
Site A (where the "show crypto isakmp" capture was taken):
crypto map MY-CRYPTO-MAP 1 match address OUTSIDE_cryptomap
crypto map MY-CRYPTO-MAP 1 set pfs
crypto map MY-CRYPTO-MAP 1 set peer X.X.X.X
crypto map MY-CRYPTO-MAP 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map MY-CRYPTO-MAP 1 set nat-t-disable
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-tunnel-protocol ikev1
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Site EUR:
crypto map MY-CRYPTO-MAP 1 match address OUTSIDE_cryptomap
crypto map MY-CRYPTO-MAP 1 set pfs
crypto map MY-CRYPTO-MAP 1 set peer Y.Y.Y.Y
crypto map MY-CRYPTO-MAP 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map MY-CRYPTO-MAP 1 set nat-t-disable
group-policy GroupPolicy_Y.Y.Y.Y internal
group-policy GroupPolicy_Y.Y.Y.Y attributes
vpn-tunnel-protocol ikev1
tunnel-group Y.Y.Y.Y type ipsec-l2l
tunnel-group Y.Y.Y.Y general-attributes
default-group-policy GroupPolicy_Y.Y.Y.Y
tunnel-group Y.Y.Y.Y ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Thanks for any help, pointers, insights!