Solved: Your welcome and thanks for - Page 2

marcio.tormente · ‎02-03-2016

Dear friends,

I made a site-to-site VPN using 02 ASA 5555 in each site running Software Version 9.2(4).

The VPN is UP, as show below:

ASA-SSP-Pri(config)# sh isak sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
268373031 201.23.100.130/500 200.174.36.19/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/272 sec
Child sa: local selector 10.69.0.0/0 - 10.69.0.255/65535
remote selector 10.12.20.0/0 - 10.12.20.255/65535
ESP spi in/out: 0xf89430e6/0x86a5cd8f

But when I try to ping from one site to another, is not possible, the result of the ping is "????"

I made some research about this problem and many people say that is missing crypto isakmp nat-traversal 20 command, but this command is alredy enable.

NAT Exempt is enable and I made tests disabling as well.

Diego Lopez · ‎02-03-2016

Hello,

The only last thing I would think is that there is a duplicate SPI on the asp table and that is why the traffic is not encrypted everything looks correct run the following command on the ASA:

clear crypto ipsec sa inactive

test again

marcio.tormente · ‎02-03-2016

Is parcial working, I put a machine behind each FW, from the FW I can ping the another FW and the machine, but from the machine I can ping only the local FW, the remote FW and machine, I can´t ping.

marcio.tormente · ‎02-03-2016

Diego,

Thank you very much, now everything is working.

Thanks

Marcio

Diego Lopez · ‎02-03-2016

Your welcome and thanks for rating is very much appreciated

VPN site-to-site UP, but not traffic