Re: VPN IPSEC site-to-site stop working ( There are no IPSEC SAs ) - Cisco Community

1038

Views

0

Helpful

5

Replies

Hi,

I have configured an IPSEC VPN site-to-site betwwen two ASA 5506 and were working well for months but yesterday i realize that the tunnel is down, i did not change any configuration, i restart both devices but tunnel is still not working and when i try # sh crypto ipsec sa or # sh crypto ikev1 sa , the answer is " There are no IPSEC SAs" or "There are no Ikev1 SAs" . What could be happing ?.

5 Replies 5

Check the both the side configuration phase 1 and phase 2 configuration.

Enable debug and check the logs.

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for the response! , how can we do that? , could you please write the commands?

show run on both the ASA and check the VPN part of config. make sure Phase1 and Phase2 config matches and also ACL for the interested traffic.

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I have already checked them twice and they are ok , i have not changed any configuration lately ....

Then do you have IP reach-ability between these site.

1. check site to site Iip able to ping.

2. Verify the Config.(any key issue).

3. check show crypt (phase 1 and Phase 2)

4. enable debug and see any logs(which can give you indication what is the issue).

refer below document :

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community