L2L VPN couldn't up

cscyangyu · ‎04-23-2010

I tried to setup a L2L VPN tunnel , but failed . this tunnel is between a Cisco IOS router and ASA. I attached the debug info, Please check it and let me know why the tunnel could not up.

Federico Coto Fajardo · ‎04-23-2010

Hi,

According to the debugs, it seems that phase 1 is up.

You should see phase 1 active with the command: sh cry isa sa (on both ends)

If this is the case (it seems like it), phase 2 is not establishing.

Check the status of phase 2 with the command: sh cry ips sa (on both ends)

If the problem is with phase 2, check the transform-set that you have assigned on each end for the crypto map and make sure the encryption and hash matches both sides (no PFS enabled/or enabled on both ends).

I think the debugs that you attach are not the entire negotiation, but either way the problem seems to be with phase 2.

Federico.

cscyangyu · ‎04-23-2010

I don't think the phase 1 was up since the isakmp status is MM_NO_STATE, If the tunnel was up , the status should be QM_IDLE. the problem is when i type the command show crypto iskamp sa , i found 3 entries for this tunnel , 2 are in MM_NO_STATE(deleted) , 1 is in QM_IDLE. Even i clear the isakmp sa , the result was no change.

Federico Coto Fajardo · ‎04-23-2010

The fact that you see the phase 1 SA QM_IDLE means is up.

The problem is then with phase 2.

Can you post/check the settings?

Federico.

cscyangyu · ‎04-26-2010

I only have my side's configuration , and i attached it, Please check it.

Federico Coto Fajardo · ‎04-26-2010

Since we have determined that the problem is on phase 2, then please check the following:

The phase 2 policy on the other end is setup for 3DES and SHA, also no PFS is used.

The interesting traffic matches the flow between the same hosts on the other side.

Federico.