Solved: ASA 5505 Site to Site VPN

imranraheel · ‎05-23-2011

I have implemented a site to Site VPN using ASA 5505 , but when i submit the command

"sh crypto ipsec sa" it shows "There are no ipsec sas".

I have attached the configurations.

abhishek.shah · ‎05-23-2011

Hi there,

I saw you nat entry nat (inside) 2 access-list limenat, would you chnage to, nat (inside) 0 access-list limenat. See that make any difference.

Would you take some packet capture while pinging the remote IP Address?

access-list cap permit host (Local Subnet) host (Remote Subnet)

access-list cap permit host (Remote Subnet) host ( Local Subnet)

cap cap access-list cap in inside

show cap cap

Now you can see the capture access-list

debug crypto isakmp 200

debug crypto ipsec 200

View solution in original post

abhishek.shah · ‎05-23-2011

Hi there,

Your Configuration looks good to me, as you have failover senario, can you check on which firewall you are right now, by type show failover you can see.

your console connection should be on active firewall, because if you are on not on active firewall it shows no isakmp sa.

Are able to see show isakmp sa??

hope that helps,

imranraheel · ‎05-23-2011

Abhi;

Thanks for the quick response, I am on the Primary ASA & the configs looks good to me as well , but it still shows no sa . Which is strange

Any other suggestions ?

Thanks

abhishek.shah · ‎05-23-2011

Hi there,

I saw you nat entry nat (inside) 2 access-list limenat, would you chnage to, nat (inside) 0 access-list limenat. See that make any difference.

Would you take some packet capture while pinging the remote IP Address?

access-list cap permit host (Local Subnet) host (Remote Subnet)

access-list cap permit host (Remote Subnet) host ( Local Subnet)

cap cap access-list cap in inside

show cap cap

Now you can see the capture access-list

debug crypto isakmp 200

debug crypto ipsec 200