Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
184
Views
0
Helpful
1
Replies

ASA 5510s not Initiating Site to Site VPN

danielcarley
Level 1
Level 1

‎12-29-2015 08:13 AM

Hi All

I am having a bit of an issue.

I have 2 sets of ASA 5510 Firewalls with the SSM-10 module (Failover) and I have them all set up but I am having issues setting up the Site to Site VPN I am trying to configure to make sure it works and for testing before installing them at 2 different sites.

Currently I can not get the VPN to establish connection between the 2 Firewalls. I have done many different things from direct connection between the 2 sets of Firewalls over a switch, change IPs, etc.

I can not see any attempt to connect the VPN between the 2 sets of firewalls. I am running continues pings from Devices connect to the Switch on both ends of the VPN and they constantly failing.

Nothing showing in the logs of each firewall and the show crypto isakmp sa shows no active ikev1 or ikev2 connections, I have tried connecting them up to a switch and setting up a session monitor to get a wireshark of what is going on but all I see is no communication between the 2 firewalls, they can ping each other. But any ping attempt from one of the laptops on each end looks like its being forwarded out the OUTSIDE interface not over the VPN, thus initiating the VPN Tunnel.

I am having zero luck, I have licenses and I have been able to get a Client Anyconnect VPN set up on one set of firewall.

Any help with be much appreciated.

See attached Config Files (I have removed some information from the configuration but nothing related to the VPN)

Labels:
Preview file
9 KB
Preview file
11 KB
0 Helpful
1 Reply 1

Joel
Level 1
Level 1

‎01-04-2016 02:37 PM

May need to go over again but the VPN looks OK. I have had this issue before when testing and needed a default route on the outside interface or routes for the specific blocks on the outside. I know the VPN endpoints in your example are in the same subnet but blocks you wish to tunnel over the VPN are obviously not and therefore technically on the outside interface even though they will get encapsulated/tunneled. The order of operation is the ASA will do a route lookup early on before VPN and if no route exists it will drop the packet. This sounds odd as you're not planning to route the interesting traffic directly out the outside interface but until the VPN/encryption process to encapsulate this traffic it's no idea what to do with the packet.

Joel

0 Helpful
Customers Also Viewed These Support Documents