Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
8
Helpful
8
Replies

clear crypto doesnt bring up the tunnel

want2asku
Level 1
Level 1

‎12-30-2015 06:52 PM

Hi,

I'm running an ASA 5515 with Security Plus license. This ASA is connecting to multiple branch n location and also act as our gateway firewall.

1 issue happen now is that there's some intermittent connection to one of the branch that cause the tunnel connection to that branch is down. When we try to bring up the tunnel back using clear crypto (branch IP), nothing happen. If we use a lower ASA model or the old PIX, we can bring it up using clear command.

Please take note others tunnel is working fine except this 1 branch only.

please help on how should I troubleshoot this issue.

TQ

Labels:
0 Helpful
8 Replies 8

Vidyadhar Evani
Level 1
Level 1

‎01-04-2016 11:15 AM

Hi,

Clearing crypos may not always bring up the tunnel. There could be many reasons why tunnel is not coming up including internet cloud problem. 

1. Check the public ip (Head end) to public ip (remote end) connectivity

2. If connectivity is good, then check for VPN phase I & II parameters match on both sides

3. If VPN config is good, trigger is the traffic using packet tracer or using a host behind in fw defined in encryption domain. 

Cheers,

Vidy

Please don't forget to rate the post if this information is useful

/Vidya

Richard Burts
Hall of Fame
Hall of Fame
In response to Vidyadhar Evani

‎01-04-2016 11:27 AM

I am assuming from the original post that the tunnel to this site does sometimes work but sometimes encounters this problem. If that is not correct then please provide clarification.

Assuming that the tunnel does sometimes work then I agree with Vidy that the first step would be to verify that there is connectivity to the address of the remote peer from the ASA.

I believe that 2) as suggested by Vidy is superfluous. If the tunnel does sometimes work then the phase 1 and phase 2 parameters are matching. If they did not match then how would the tunnel be sometimes up?

I agree with 3) that just clearing crypto may not be sufficient to bring the tunnel up. Clearing crypto just clears out the current environment and prepares a fresh start. Until there is interesting traffic the tunnel will not come up. So be sure to do something that will generate interesting traffic for the tunnel.

The original poster is not clear whether there are any log messages at the time of the problem which might shed light on what is causing this problem. Knowing that would be helpful. Also at the time of the problem it might be helpful to establish whether ISAKMP is still communicating and functioning to this branch. It might be helpful to run some crypto debugs and see if there are attempts to negotiate, and if so what are the results.

HTH

Rick

HTH

Rick

Vidyadhar Evani
Level 1
Level 1
In response to Richard Burts

‎01-04-2016 11:37 AM

Point 2 is necessary to make sure VPN configs are untouched while troubleshooting, especially under different admin control. As long as configs are untouched after initial working setup, point 2 can be ignored. 

Like Rick mentioned, conditional debug to non-working peer would reveal more details of the problem. 

Cheers,

Vidy

Please don't forget to rate the post if  useful !!

/Vidya
0 Helpful

want2asku
Level 1
Level 1
In response to Richard Burts

‎01-04-2016 07:52 PM

yes, thanks for suggesting that, I'll try to debug when the issue happen.

0 Helpful

want2asku
Level 1
Level 1
In response to Vidyadhar Evani

‎01-04-2016 07:51 PM

Hi, thanks for your reply.

During when the issue happen, the public IP is working, even user at the branch can use internet without any issue, i checked the phase I & II multiple times and all the parameters is correct n match.

yes we did try to initiate interesting traffic when do the clear crypto..

Q: should the interesting traffic generated from both end or we can start it from one end?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to want2asku

‎01-05-2016 10:26 AM

Whether the interesting traffic can be generated from both ends depends on some things in how the VPN is configured. For many site to site VPNs the interesting traffic can be generated from either end and the tunnel will come up. But there are some situations, such as when one of the peers has a dynamic IP address while the other end is static IP, where the interesting traffic can be generated from one end but not from the other. We do not know enough about your situation to be able to determine whether interesting traffic could be generated from both ends or only from one end.

HTH

Rick

HTH

Rick
0 Helpful

want2asku
Level 1
Level 1
In response to Richard Burts

‎01-05-2016 09:50 PM

both of the site using static IP. as I mention earlier, we hav multiple branch connecting to our HQ. but only this particular tunnel/branch is having this issue.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to want2asku

‎01-06-2016 08:03 AM

It is good to know that during the problem that users at the branch are able to use the Internet. But that does not answer the question of whether during the problem that packets from HQ actually get to the branch.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents