Solved: Site to site VPN not working

hussaini786 · ‎07-02-2019

I have two ASA 5506-X at two different sites and site to site VPN is not working.

I can ping the outside interface of both the ASA's from each other.

When I DO show crypto isakmp sa , nothing is in there.

How do I troubleshoot

Francesco Molino · ‎07-02-2019

Can you run a packet-tracer on ASA 1 with the following command:
packet-tracer input inside icmp 10.106.55.2 8 0 10.106.57.8

Please share the output.

Try also debug crypto isakmp.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

GRANT3779 · ‎07-02-2019

It looks like you are hitting a dynamic NAT which is taking preference over your NONAT so nothing is hitting your crypto config. NAT happens before encryption so in your case the traffic is never "interesting"
What is output from
Show NAT
The order of your NAT statements is important. Ensure your NAT exemption for VPN traffic is first.

View solution in original post

Francesco Molino · ‎07-02-2019

Hi

You can start with a debug ikev1.
Can you share your config and output for show crypto ikev1 sa + show crypto ipsec sa?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

hussaini786 · ‎07-02-2019

hussaini786 · ‎07-02-2019

When I run debug crypto ikev1, nothing appears on the ssh session, even though I have terminal monitor

Francesco Molino · ‎07-02-2019

Can you run a packet-tracer on ASA 1 with the following command:
packet-tracer input inside icmp 10.106.55.2 8 0 10.106.57.8

Please share the output.

Try also debug crypto isakmp.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

hussaini786 · ‎07-02-2019

Hi Francesco, attached are the files with the command output you requested

GRANT3779 · ‎07-02-2019

It looks like you are hitting a dynamic NAT which is taking preference over your NONAT so nothing is hitting your crypto config. NAT happens before encryption so in your case the traffic is never "interesting"
What is output from
Show NAT
The order of your NAT statements is important. Ensure your NAT exemption for VPN traffic is first.

hussaini786 · ‎07-03-2019

Thanks a lot GRANT, it's working now.

It's strange the NAT order was preventing from PHASE1 to initiate or come up.

After doing the packet-tracer command, packet-tracer input inside icmp 10.106.55.2 8 0 10.106.57.8, as you mentioned it was going through PAT first.

Changed the NAT statement to number 1, and then PHASE1 and PHASE2 started working ON ASA1.

Then had to do the same ON ASA2 as the other side was not able to access the resources.

After changing the NONAT site to site statements, both the sides are now able to access the resources and site to site tunnel is up.

Thanks a lot and appreciate all of you guys.

GRANT3779 · ‎07-03-2019

Great Hussaini, glad you got it all working now.

Mohammed al Baqari · ‎07-02-2019

the you need to check your natting/routing/acls. It seems that you aren't
hitting the crypto-maps and traffic is dropped before reaching the vpn
phase.

Mohammed al Baqari · ‎07-02-2019

debug crypto isa to see where it is failing