10-26-2007 04:40 AM - edited 02-21-2020 03:20 PM
Hello,
I need help. I tried to create site-to-site VPN (with ASA 5510 and 5520)using VPN wizard,but I have a problem. VPN tunnel was not established. Also, there is no ping between end users (10.1.1.2 and 10.2.2.2). In Attachment are configurations and network topology.
Thank you.
10-29-2007 04:05 AM
Hi,
At a first glance I don't see anything wrong with the config but...
Have you tried the "debug crypto isakmp" and "debug crypto ipsec" commands so you can check what the error is?
Are you able to ping from one outside interface of the ASA to the other?
Regards,
Paulo
10-29-2007 12:26 PM
Hi,
I'm having a similar issue to this user and I have a similar design. In my lab, the two ASAs can ping each others outside IP but the tunnel won't come up. I'm using a managed L2 switch though, not a L3.
10-29-2007 01:34 PM
10-31-2007 12:43 PM
take this out:
tunnel-group VPNgroup1 type ipsec-l2l
tunnel-group VPNgroup1 ipsec-attributes
pre-shared-key *
try this instead:
tunnel-group
tunnel-group
pre-shared-key
Let me know how it goes
10-31-2007 12:50 PM
Thanks.
Yeah, I noticed that l2l tunnels must have the ip of the peer as the tunnel-group when I was going through a couple of tech pubs. I tried it with no success. I'm working with the tac directly on this now. I'll post the solution when I find it.
10-31-2007 12:59 PM
Hi Andrew,
The two ASA configurations that you attached, is that the configuration you were using when it didn't work? The reason I ask is that the configuration is missing the following items for the vpn to completely work:
1. nat 0 with an access-list of the networks that are being encrypted.
2. Another access-list defining the traffic to be encrypted.
3. a crypto map
10-31-2007 01:03 PM
What I mentioned earlier, I saw those 3 things missing on the ASA 5505.
10-31-2007 01:10 PM
One other thing I noticed
you have the static routes pointing to 172.21.11.4, which I am assuming is the switch. You should have the the static routes pointing to the next hop of the other ASA. Otherwise the switch does not know where the network is located. For example, on the ASA 5505 you should have the following static route:
route outside 192.168.10.0 255.255.255.0 172.21.11.197
10-31-2007 01:42 PM
Thank You Jason,
I'm going to attach some new configs. Those configs are a few days old and were very very wrong it appears.
The config I'm attaching has a plenty of changes on it. The two inside networks area 10.0.10.0(asa5510) and 10.0.11.0(asa5505). The outside interfaces are 172.21.11.197(asa5510) and 10.0.3.30(asa5505). This is all located in my lab. I'm also including a pretty drawing(yay!). I'm new to the whole security side of networking so it surely may be something dumb that I'm missing.
The two configs have been looked over once by the cisco tac, I haven't heard back from them yet today.
10-31-2007 02:16 PM
try this also. Put this command on both ASAs:
sysopt connection permit-vpn
10-31-2007 02:20 PM
One final thing. Include this too. It may not make a difference but try it anyway.
crypto map
11-01-2007 12:28 PM
Owned it guys!
With the help of the cisco tac of course :). I feel pretty silly now but it was kind of an easy miss, I think anyway.
My config was right on, the problem was that I didn't initiate 'interesting traffic'
You have to ping the opposite inside interface using:
#ping inside x.x.x.x
That forces the ping to originate from the local ASAs inside address and generates 'interesting traffic' which then builds the tunnel.
Hope this helps someone else too.
Thanks for the interest in my problem guys.
11-01-2007 04:17 AM
Hi,
I am able to ping from one outside interface of the ASA to the other. Here is output from "debug crypto isakmp":
debug crypto isakmp (on ASA1)
ping from 10.2.2.2 to 10.1.1.2:
ciscoasa1# Apr 20 23:32:09 [IKEv1]: Group = 192.168.2.2, IP = 192.168.2.2, Can't
find a valid tunnel group, aborting...!
Apr 20 23:32:09 [IKEv1]: Group = 192.168.2.2, IP = 192.168.2.2, Removing peer fr
om peer table failed, no match!
Apr 20 23:32:09 [IKEv1]: Group = 192.168.2.2, IP = 192.168.2.2, Error: Unable to
remove PeerTblEntry
Apr 20 23:32:17 [IKEv1]: IP = 192.168.2.2, Header invalid, missing SA payload! (
next payload = 4)
Apr 20 23:32:25 [IKEv1]: IP = 192.168.2.2, Header invalid, missing SA payload! (
next payload = 4)
Apr 20 23:32:33 [IKEv1]: IP = 192.168.2.2, Header invalid, missing SA payload! (
next payload = 4)
ping from 10.1.1.2 to 10.2.2.2:
ciscoasa1# Apr 20 23:34:44 [IKEv1]: IP = 192.168.2.2, Information Exchange proce
ssing failed
Apr 20 23:34:52 [IKEv1]: IP = 192.168.2.2, Information Exchange processing faile
d
Apr 20 23:35:00 [IKEv1]: IP = 192.168.2.2, Information Exchange processing faile
d
Apr 20 23:35:08 [IKEv1]: IP = 192.168.2.2, Removing peer from peer table failed,
no match!
Apr 20 23:35:08 [IKEv1]: IP = 192.168.2.2, Error: Unable to remove PeerTblEntry
Any comment will be useful.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide