ā02-03-2016 04:18 AM
Dear friends,
I made a site-to-site VPN using 02 ASA 5555 in each site running Software Version 9.2(4).
The VPN is UP, as show below:
ASA-SSP-Pri(config)# sh isak sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
268373031 201.23.100.130/500 200.174.36.19/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/272 sec
Child sa: local selector 10.69.0.0/0 - 10.69.0.255/65535
remote selector 10.12.20.0/0 - 10.12.20.255/65535
ESP spi in/out: 0xf89430e6/0x86a5cd8f
But when I try to ping from one site to another, is not possible, the result of the ping is "????"
I made some research about this problem and many people say that is missing crypto isakmp nat-traversal 20 command, but this command is alredy enable.
NAT Exempt is enable and I made tests disabling as well.
Solved! Go to Solution.
ā02-03-2016 09:58 AM
Hello,
The only last thing I would think is that there is a duplicate SPI on the asp table and that is why the traffic is not encrypted everything looks correct run the following command on the ASA:
clear crypto ipsec sa inactive
test again
ā02-03-2016 10:12 AM
Is parcial working, I put a machine behind each FW, from the FW I can ping the another FW and the machine, but from the machine I can ping only the local FW, the remote FW and machine, I canĀ“t ping.
ā02-03-2016 10:30 AM
Diego,
Thank you very much, now everything is working.
Thanks
Marcio
ā02-03-2016 11:05 AM
Your welcome and thanks for rating is very much appreciated
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: