Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1129
Views
2
Helpful
23
Replies

S2S VPN Tunnel with AWS not establishing

kbowles
Level 1
Level 1

‎12-01-2023 03:15 PM

Hello everyone, 

Long time reader, first time requester. As the title states I am having issues getting a S2S IKEv1 tunnel to establish between my ASA 5516-x and our AWS VPC. I followed a guide to do this, and downloaded the config straight from AWS that said to copy and paste into the firewall and the tunnel should come up. If only my life was ever that easy. Anyone have experience doing this? If I run

clear crypto ikev1 *peer ip*

I can see the IKEv1 tunnel in a Wait_MM_MSG2 status for about 15 seconds before I start seeing that there are no IKEv1 tunnels. Please advise. Thank you!

Labels:
0 Helpful
23 Replies 23

kbowles
Level 1
Level 1
In response to MHM Cisco World

‎12-04-2023 12:45 PM

This returns nothing because phase 1 is not establishing. Phase 1 for this tunnel will go into an MM_WAIT_MSG2 status for about 30 seconds before completely disappearing from the ikev1 sa 

0 Helpful

MHM Cisco World
VIP
VIP
In response to kbowles

‎12-04-2023 12:51 PM

I know that I need to see if the tunnel select correct tunnel-group 

It must appear l2l as type.

Is this appear?

0 Helpful

kbowles
Level 1
Level 1
In response to MHM Cisco World

‎12-04-2023 12:55 PM

MHM I ran the packet tracer again twice, and then ran show crypto ikev1 sa (this is the only ikev1 tunnel) Please see the attached screenshot. It is showing type as "user". You can also see it dropping out of the ikev1 after a few seconds and showing there are no ikev1 SAs

Preview file
49 KB
0 Helpful

MHM Cisco World
VIP
VIP
In response to kbowles

‎12-04-2023 01:02 PM

Do you see type it user not l2l'

Issue in tunnel-group

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎12-04-2023 01:13 PM 

default-group-policy filter

What is this gorup policy' remove it from tunnel group of this peer 

Check again 

MHM

0 Helpful

Rob Ingram
VIP
VIP
In response to kbowles

‎12-04-2023 12:51 PM

@kbowles your device is initiating the tunnel but has not heard anything back from the peer. You should troubleshoot the peer side to confirm whether everything is setup correctly and that the initial ike/isakmp packet is received.

packet-tracer is for "through" traffic, not to/from the ASA itself. Run a packet capture and confirm traffic sent and received (or not).

0 Helpful

kbowles
Level 1
Level 1
In response to Rob Ingram

‎12-04-2023 12:56 PM

Unfortunately, the remote side is AWS and I cant seem to find any "troubleshooting" tools on the VPC. 

0 Helpful

MHM Cisco World
VIP
VIP

‎12-04-2023 12:56 PM

Enable

Debug crypto isakmp 

Ping from LAN local to remote 

Copy reuslt 

Then

Disbale debug 

Share output 

MHM

 

0 Helpful

kbowles
Level 1
Level 1
In response to MHM Cisco World

‎12-04-2023 01:12 PM

No logs are populating with debug crypto isakmp enabled and pinging the remote end. 

0 Helpful
Customers Also Viewed These Support Documents