Re: ISAKMP and IPSEc on ASA5510 ver 7.2(1)

bericaleb · ‎07-17-2007

Please help.

When I do a 'show crypto isakmp sa' on asa5510 ver 7.2(1) for a L2L ipsec tunnel, this is the message it gives me. Pls explain what it means.

I have also attached the debug messages, please expalin what that means.

nchandy · ‎07-18-2007

Hi

The sh cry isa sa output with MM_ACTIVE indicates that the main mode is in active state i.e phase 1 is up.

The debugs are indicating that it failing at Quick Mode (QM) or phase2. You would need to get the isa as well as ipsec debugs on both ends to find why it is failing at phase 2.

Thanks

bericaleb · ‎07-18-2007

Hi

some more results of debug for asa 5510 ipsec lan-to-lan vpn tunnel are attached. Pls explain what this mean

nchandy · ‎07-19-2007

Hi

Looks like the debug was taken from the buffer and hence incomplete and not really helpful. Is it possible to capture the debugs on the console or monitor session and log the entire debugs , right from the time, the tunnel is starting to come up.

Thanks

bericaleb · ‎07-19-2007

if I accessing the ASA from remote telnet rather than directly connected to the Console how can I capture debugs from a session monitor? How do I do a monitor session?

bericaleb · ‎07-18-2007

please explain the debug information I attached. This from the asa5510 ver 7.2(1)

I need help urgently, pls.

kberglun · ‎07-19-2007

This is a long shoot since the debugs are incomplete. Check whether both side are setup to do PFS (Perfect forward secrecy). You will find it under the crypto map statements on the ASA.

bericaleb · ‎07-19-2007

Both Firewalls are set to do pfs group 2.

What next?

kberglun · ‎07-19-2007

Get the complete debugs, since we don't have the configurations set the level of debugs to 255.

bericaleb · ‎07-23-2007

Hi

I set the level of debugs on the asa to 255 for cryto ipsakmp & crypto ipsec.