07-28-2023 01:48 PM
I have a vpn connection between two cisco asa 5512 that failed. I restored an older backup with ASDM but the vpn is still down. What can I do to restore the vpn? Thank you.
07-28-2023 03:29 PM
When I restored, why can't identity certificates be ticked?
07-28-2023 03:37 PM
I can access both asa, i clear crypto command and the same results: MM_WAIT_MSG2.
07-28-2023 03:40 PM
07-29-2023 04:40 AM
Sorry but I see ikev2 in log ?
Can you share config of both asa
Thanks
MHM
07-29-2023 05:02 AM
Such a cisco has 120 VPNs and it is difficult for me to hide confidential data. The other cisco has only one vpn and I can send you the configuration.
07-29-2023 05:12 AM
I understand
share config of asa s2s vpn ikev1 only of both asa
07-29-2023 05:27 AM
Sorry, I delete some information.
07-29-2023 05:35 AM
Sorry. The second configuration has 84 pages and it is difficult to select the configuration just for one VPN.
07-30-2023 03:36 AM
Thanks for your time.
07-30-2023 05:42 AM
debug crypto ikev1 127
debug crypto ipsec 127
Share this if you can.
Thanks
MHM
07-30-2023 10:44 PM
Jul 31 08:43:06 [IKEv1]IP = 192.168.0.31, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
Jul 31 08:43:14 [IKEv1]IP = 192.168.0.31, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
Jul 31 08:43:22 [IKEv1 DEBUG]IP = 192.168.0.31, IKE MM Initiator FSM error history (struct &0x00007fff9e5d9c40) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jul 31 08:43:22 [IKEv1 DEBUG]IP = 192.168.0.31, IKE SA MM:7aee13b6 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jul 31 08:43:22 [IKEv1 DEBUG]IP = 192.168.0.31, sending delete/delete with reason message
Jul 31 08:43:28 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 31 08:43:28 [IKEv1]IP = 192.168.0.31, IKE Initiator: New Phase 1, Intf LAN, IKE Peer 192.168.0.31 local Proxy Address 192.168.9.80, remote Proxy Address 192.168.4.0, Crypto map (WAN_map)
Jul 31 08:43:28 [IKEv1 DEBUG]IP = 192.168.0.31, constructing ISAKMP SA payload
Jul 31 08:43:28 [IKEv1 DEBUG]IP = 192.168.0.31, constructing NAT-Traversal VID ver 02 payload
Jul 31 08:43:28 [IKEv1 DEBUG]IP = 192.168.0.31, constructing NAT-Traversal VID ver 03 payload
Jul 31 08:43:28 [IKEv1 DEBUG]IP = 192.168.0.31, constructing NAT-Traversal VID ver RFC payload
Jul 31 08:43:28 [IKEv1 DEBUG]IP = 192.168.0.31, constructing Fragmentation VID + extended capabilities payload
Jul 31 08:43:28 [IKEv1]IP = 192.168.0.31, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
Jul 31 08:43:36 [IKEv1]IP = 192.168.0.31, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
Jul 31 08:43:44 [IKEv1]IP = 192.168.0.31, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
Jul 31 08:43:52 [IKEv1]IP = 192.168.0.31, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
Jul 31 08:44:00 [IKEv1 DEBUG]IP = 192.168.0.31, IKE MM Initiator FSM error history (struct &0x00007fff9e5d9c40) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jul 31 08:44:00 [IKEv1 DEBUG]IP = 192.168.0.31, IKE SA MM:72419d5f terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jul 31 08:44:00 [IKEv1 DEBUG]IP = 192.168.0.31, sending delete/delete with reason message
Jul 31 08:44:05 [IKEv1 DEBUG]Pitcher: received a key acquire message, spi 0x0
Jul 31 08:44:05 [IKEv1]IP = 192.168.0.31, IKE Initiator: New Phase 1, Intf LAN, IKE Peer 192.168.0.31 local Proxy Address 192.168.9.80, remote Proxy Address 192.168.4.0, Crypto map (WAN_map)
Jul 31 08:44:05 [IKEv1 DEBUG]IP = 192.168.0.31, constructing ISAKMP SA payload
Jul 31 08:44:05 [IKEv1 DEBUG]IP = 192.168.0.31, constructing NAT-Traversal VID ver 02 payload
Jul 31 08:44:05 [IKEv1 DEBUG]IP = 192.168.0.31, constructing NAT-Traversal VID ver 03 payload
Jul 31 08:44:05 [IKEv1 DEBUG]IP = 192.168.0.31, constructing NAT-Traversal VID ver RFC payload
Jul 31 08:44:05 [IKEv1 DEBUG]IP = 192.168.0.31, constructing Fragmentation VID + extended capabilities payload
Jul 31 08:44:05 [IKEv1]IP = 192.168.0.31, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 324
07-30-2023 10:46 PM
gw-ab13dec# debug crypto ipsec 127
gw-ab13dec# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=27110, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=31688, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4809, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4809, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4809, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4809, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.83, sport=31488, daddr=192.168.4.5, dport=31488
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=47833, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=47833, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=1495, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=1495, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=47833, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=1495, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.83, sport=31488, daddr=192.168.4.5, dport=31488
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4084, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4084, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.81, sport=65535, daddr=192.168.4.5, dport=31488
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4084, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=4084, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.83, sport=31488, daddr=192.168.4.5, dport=31488
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=43236, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=43236, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=43236, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=43236, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=23496, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=17, saddr=192.168.9.84, sport=23496, daddr=192.168.4.17, dport=13568
IPSEC(crypto_map_check)-3: Checking crypto map WAN_map 1: matched.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide