cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1397
Views
0
Helpful
9
Replies

ISAKMP and IPSEc on ASA5510 ver 7.2(1)

bericaleb
Level 1
Level 1

Please help.

When I do a 'show crypto isakmp sa' on asa5510 ver 7.2(1) for a L2L ipsec tunnel, this is the message it gives me. Pls explain what it means.

I have also attached the debug messages, please expalin what that means.

9 Replies 9

nchandy
Cisco Employee
Cisco Employee

Hi

The sh cry isa sa output with MM_ACTIVE indicates that the main mode is in active state i.e phase 1 is up.

The debugs are indicating that it failing at Quick Mode (QM) or phase2. You would need to get the isa as well as ipsec debugs on both ends to find why it is failing at phase 2.

Thanks

Hi

some more results of debug for asa 5510 ipsec lan-to-lan vpn tunnel are attached. Pls explain what this mean

Hi

Looks like the debug was taken from the buffer and hence incomplete and not really helpful. Is it possible to capture the debugs on the console or monitor session and log the entire debugs , right from the time, the tunnel is starting to come up.

Thanks

if I accessing the ASA from remote telnet rather than directly connected to the Console how can I capture debugs from a session monitor? How do I do a monitor session?

please explain the debug information I attached. This from the asa5510 ver 7.2(1)

I need help urgently, pls.

This is a long shoot since the debugs are incomplete. Check whether both side are setup to do PFS (Perfect forward secrecy). You will find it under the crypto map statements on the ASA.

Both Firewalls are set to do pfs group 2.

What next?

Get the complete debugs, since we don't have the configurations set the level of debugs to 255.

Hi

I set the level of debugs on the asa to 255 for cryto ipsakmp & crypto ipsec.