Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2249
Views
0
Helpful
3
Replies

New VPN Tunnel not coming up

Furry411
Level 1
Level 1

‎07-05-2017 07:25 PM

I have setup a new tunnel between to firewalls, 5510's both of them I used the GUI, set the peers, created the crypto maps in reverse order, set the preshared key, isakmp and ipsec are set. I enabled the tunnel on the outside interface but I am not getting any type of love between the two when I try pinging the interfaces. They both respond, but there is zero attempt to bring up the tunnel int he debug logs or the show crypto isakmp.

It has been a long while since I have tried to build a firewall from the ground up and establish I new VPN tunnel on them. What are some things I should be looking for, maybe a no nat rule here? The networks are both internal so I know its not going to be a split tunneling issue. Any guidance here would be wonderful!!

Cheers

Labels:
0 Helpful
3 Replies 3

Mohammed al Baqari
Level 11
Level 11

‎07-05-2017 09:21 PM

Please share the output of debug crypto isa 127. Also, do you have routes to send the VPN traffic out of the outside interface (or default route). 

Have you configured crypto ACLs on both sides (mirrored) 

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to Mohammed al Baqari

‎07-06-2017 12:14 AM

Her are few documents that I will suggest you check and can give you the approach to troubleshoot  site to site VPN:

Basic L2L configuration - Platform Independent Approach
https://supportforums.cisco.com/document/105381/basic-l2l-configuration-platform-independent-approach

Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html


Regards
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Furry411
Level 1
Level 1
In response to Mohammed al Baqari

‎07-06-2017 08:40 PM

From the firewall I was working on last night, it is trying to pull up phase 1 at least

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: x.x.x.x
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

So right now I think the issue is the second firewall, and I have noticed the NATing is at least part of the issue. It still seems some funny some funny stuff is going on the second firewall, but i hope cleaning up the NATing might resolve the other issues. Trying to clean up the existing NAT statments I have this first off that needs to be removed but the ASA is not liking it when I try:

nat (inside,outside) dynamic x.x.x.x

and

nat (Hostnet,outside) dynamic interface

every time i try to remove it i get this

no nat (inside,outside) dynamic x.x.x.x

ERROR: % Invalid input detected at '^' marker.

no nat (Hostnet,outside) dynamic interface

ERROR: % Invalid input detected at '^' marker.

any clue how to remove these NAT's?

Once I remove this hopefully the no nating will work, then I can look deeper with a cleaner picture.

0 Helpful
Customers Also Viewed These Support Documents