Cisco ASA 5505 IPSEC VPN to fortigate firewall going up and down
We have site to site VPN between our cisco ASA 5505 firewall and customer FortiGate firewall. Both firewalls have two internet links. Below are scenario where IPSEC VPN is working
Our ISP1 to Customer ISP1
Our ISP1 to Customer ISP2
Below scenario where VPN not working and it is going up and down
Our ISP2 to Customer ISP1
Our ISP2 to Customer ISP2
In non working scenario when we run debug, we got weird message
20:14:27 [IKEv1]IP = 38.X.165.1XX, Attempting to establish a phase2 tunnel on outside interface but phase1 tunnel is on ISP2 interface. Tearing down old phase1 tunnel due to a potential routing change. Sep 06 20:14:27 [IKEv1]NAT-T disabled in crypto map <amzn_vpn_map> 3.
Sep 06 20:14:35 [IKEv1]IP = 38.X.165.1XX IKE Initiator: New Phase 1, Intf inside, IKE Peer 38.X.165.1XX local Proxy Address 172.31.67.128, remote Proxy Address 172.30.66.0, Crypto map (<amzn_vpn_map>) Sep 06 20:14:35 [IKEv1 DEBUG]Group = 38.X.165.1XX, IP = 38.X.165.1XX, IKE SA MM:83be0062 rcv'd Terminate: state MM_ACTIVE flags 0x00010042, refcnt 1, tuncnt 35 Sep 06 20:14:35 [IKEv1 DEBUG]IP = 38.X.165.1XX, constructing ISAKMP SA payload
When we were testing ISP2 in our end, we put the ISP1 (outside) physically down. Still we are not clear why we getting this message. I think VPN is going up and down because of this error. Please advice why we are getting this error and how to fix it.
I will not be able to share complete config of ASA due to security reasons. Let me know if you are looking any specific part of config. ASA IOS version is 9.0(1). Regarding object tracking, you are talking SLA monitoring right. Yes we have SLA monitoring configured for ISP1 default route
The Cisco Secure Firewall and SecureX teams are looking for feedback from active Secure Firewall users who may or may not have already activated SecureX. Your responses will help us improve the Firepower experience in SecureX. Th...
Related documentsCisco ISE (Identity Services Engine) IPv6 features by release2.6ISE ManagementNetwork Time Protocol SupportDomain Name System SupportExternal RepositoriesAudit Logs and ReportsSimple Network Management ProtocolAccess Control Lists And Dyn...
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 220.127.116.11Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 18.104.22.168R1(config-ikev2-keyring-pee...