cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
659
Views
0
Helpful
7
Replies

Cannot establish a Site-to-Site VPN connection

apasat
Level 1
Level 1

Hello there,

I got the following trouble: I have to establish a new Policy based S2S IKev2 tunnel with another company, with wich we already have one working VPN. When we set up ours equipements (I have an FPR with Cisco ASA, and they got Cisco ISR 3900), the channel is not working, and what is much stranger, we both don't have any logs with some requests to establish an IKev2/IPSec connection, just ZERO. Its just so strange, it should work, but we have zero requests to each other, although we have already one channel. For understandig, from my part is changing the equipement and IP for Peer, and they don't have any changes, there is the same IP and the same ISR3900.

Do you have any thoughts why don't we see each other in some logs?

1 Accepted Solution

Accepted Solutions

@apasat a packet is natted prior to being encrypted and routed out the egress interface. So if the packet is unintentially translated, it would not match the interesting traffic defined in the crypto ACL, the IKE and IPSec SAs would not be established and you'd not have anything in your ike/ipsec debug logs.

Run packet-tracer twice to simulate the flow, this will indicate where the problem lies. Provide the output if you want further assistance.

View solution in original post

7 Replies 7

@apasat With a Policy Based VPN the VPN is only established once interesting traffic is generated, so you will need to attempt communication to/from IP addresses defined in the crypto ACL.

Another common issue is NAT, you would need to define a NAT exemption rule to ensure traffic is not unintentially translated.

If you need further assistance please provide your configuration and more detailed information.

>>so you will need to attempt communication to/from IP addresses defined in the crypto ACL.

I know that, and I tried, but the problem is that even the 1st phase is not working. And I see 0 logs about some requests from the other side, and they are seeing the same 0 logs. 

The problem is not in NAT or Crypto Map, but it's something on Network level, but can't understand what. If the problem was in some acl or nat I would see some logging about 1st phase  or some requests, and I have nothing

@apasat a packet is natted prior to being encrypted and routed out the egress interface. So if the packet is unintentially translated, it would not match the interesting traffic defined in the crypto ACL, the IKE and IPSec SAs would not be established and you'd not have anything in your ike/ipsec debug logs.

Run packet-tracer twice to simulate the flow, this will indicate where the problem lies. Provide the output if you want further assistance.

Yes, the problem was in the NAT roules, and it's so strange.

What was exactly: I've created like 10 roules, where my every LAN IP was addressing to the other side network /25. Only when I've modified 1 single roule, where I've natted one host not to the entire subnet, but to the only 1 singe IP from the other side, the channel come up. After this, for the experiment, I've deleted all the roules, and created one single where my host was adressing to the entire subnet, and it's still working. Idk what's that, seems like some bug on ASA, but if I create roules where my hosts are addressing to the exactly hosts on the other side (not the subnet itself), the tunnel is working. If I want to translate packets to the subnet, it's down. 

At final, just create roules with destination as host, not subnet, and it's ok. 

Thank you for the advice, @Rob Ingram !!!

 already have one working VPN??
may be your router conflict between two VPN 
can you share the config 

Yes, we have already one, but it is working on another Router from my side, and the same router from their side. We tried also just change our peer IP adress on their ISR in current channel, with the same IKev2/IPsec settings, but got no result. The same 0 logs about tries of connections

""Yes, we have already one, but it is working on another Router from my side, and the same router from their side.""
then the issue in other side router 
you config Policy-based VPN 
are ACL is same for IPSec VPN in other side? this make other side router use the one already VPN not establish new VPN.
check with them this point
the ACL must be different for each VPN