Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
4
Replies

ASA VPN not comng up

phildoyle1
Level 1
Level 1

‎06-22-2015 06:43 AM

Hi, I have an ASA 5505 (8.4.2) that teminates a site-to-site VPN to another site.  I want to add a 2nd VPN to this device.   I have configured all the relevant settings but the VPN refueses to come up.  It is like the cruptomap is not working as It does not evenr attempe to start hpase 1 of the connection.  The config ( with internal data removed is)

 

object network India_LAN
 subnet 10.17.0.0 255.255.0.0
 description Created during name migration
object network Whiteley_The_Belfry
 subnet 10.21.0.0 255.255.0.0


crypto map outside_map0 2 match address outside_cryptomap_1
crypto map outside_map0 2 set peer <remote pub address>
crypto map outside_map0 2 set ikev1 transform-set ESP-3DES-SHA

access-list outside_cryptomap_1 extended permit ip object India_LAN object Whiteley_The_Belfry

nat (inside,outside) source static India_LAN India_LAN destination static Whiteley_The_Belfry Whiteley_The_Belfry no-proxy-arp route-lookup


tunnel-group <remote pub address> type ipsec-l2l
tunnel-group <remote pub address> general-attributes
 default-group-policy GroupPolicy2
tunnel-group <remote pub address> ipsec-attributes
 ikev1 pre-shared-key <pre shared key>

group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
 vpn-tunnel-protocol ikev1

 

Any ideas?  When I debug crypto I do not see an taeempt to even create the VPN

 

Phil

 

Labels:
0 Helpful
4 Replies 4

rvarelac
Level 7
Level 7

‎06-22-2015 08:56 PM

Hi phildoyle1

 

Try to run a packet-tracer  similar as below with the crypto debugs enable to gather more information about the issue. 

 

packet-tracer input inside icmp 10.17.0.5 8 0 10.21.0.5 detail

 

Hope it helps 

-Randy-

0 Helpful

phildoyle1
Level 1
Level 1
In response to rvarelac

‎06-23-2015 02:15 AM

Hi, yes I have run packet traces with debugging on and it does not even attempt to create the phase 1 of the vpn.   It looks like it is tying to go out of the outside port using the default route to the internet instead of triggering the crypto map to bring the vpn up.

I cannot provide any results till wednesday when I can get back on the device.

0 Helpful

johnlloyd_13
Level 9
Level 9

‎06-22-2015 09:23 PM

hi,

can you ping the remote public IP from 5505 (and vice versa)?

0 Helpful

phildoyle1
Level 1
Level 1
In response to johnlloyd_13

‎06-23-2015 02:12 AM

Hi, yes I can ping between the public addresses.

0 Helpful
Customers Also Viewed These Support Documents