05-23-2011 07:24 AM
I have implemented a site to Site VPN using ASA 5505 , but when i submit the command
"sh crypto ipsec sa" it shows "There are no ipsec sas".
I have attached the configurations.
Solved! Go to Solution.
05-23-2011 10:24 AM
Hi there,
I saw you nat entry nat (inside) 2 access-list limenat, would you chnage to, nat (inside) 0 access-list limenat. See that make any difference.
Would you take some packet capture while pinging the remote IP Address?
access-list cap permit host (Local Subnet) host (Remote Subnet)
access-list cap permit host (Remote Subnet) host ( Local Subnet)
cap cap access-list cap in inside
show cap cap
Now you can see the capture access-list
debug crypto isakmp 200
debug crypto ipsec 200
05-23-2011 08:04 AM
Hi there,
Your Configuration looks good to me, as you have failover senario, can you check on which firewall you are right now, by type show failover you can see.
your console connection should be on active firewall, because if you are on not on active firewall it shows no isakmp sa.
Are able to see show isakmp sa??
hope that helps,
05-23-2011 08:15 AM
Abhi;
Thanks for the quick response, I am on the Primary ASA & the configs looks good to me as well , but it still shows no sa . Which is strange
Any other suggestions ?
Thanks
05-23-2011 10:24 AM
Hi there,
I saw you nat entry nat (inside) 2 access-list limenat, would you chnage to, nat (inside) 0 access-list limenat. See that make any difference.
Would you take some packet capture while pinging the remote IP Address?
access-list cap permit host (Local Subnet) host (Remote Subnet)
access-list cap permit host (Remote Subnet) host ( Local Subnet)
cap cap access-list cap in inside
show cap cap
Now you can see the capture access-list
debug crypto isakmp 200
debug crypto ipsec 200
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide