Solved: sa not activated on ASA5505 after completion of L2L VPN

liladamson · ‎03-28-2014

hello
I am setting up a new VPN connection and when I follow all the procress of adding a new L2L (Site2Site) VPN connection, it is not activating...
this is what I have done
I am having issue with my CISCO ASA 5505, not activating L2L VPN connections after I did the configuration.
I did the Phase 1 and Phase 2 and at the end of the configuration the "sh isakmp sa" is not showing it activated.
I have existing VPN activated but the added ones is not getting activated.

Attached you will find our License information and VPN Peer activate list.

I have 6 VPN configured, and just 3 is showing.
I am not able to troubleshoot if it is not even showing as being enable.

Please let me know what you think can be the issue.

PS: This is what I did:
crypto isakmp policy 70
encryption 3des
authentication pre-share
group 2
lifetime 28800
hash md5
exit

crypto ipsec transform-set ipsec-prop-air esp-3des esp-sha-hmac

access-list encrypt_vpn-2 extended permit ip “myhostip” “subnetmask” host “distanthost”

tunnel-group 196.46.244.193 type IPsec-l2l
tunnel-group 196.46.244.193 ipsec-attributes
pre-shared-key**************

crypto map IPSec_map 70 match address encrypt_vpn-2
crypto map IPSec_map 70 set peer 196.46.244.193
crypto map IPSec_map 70 set transform-set ipsec-prop-air
crypto map IPSec_map interface outside
crypto isakmp enable outside

- Below is the output of the "sh run" I was able to get.

asa623# ping 196.46.244.193
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 196.46.244.193, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 360/366/370 ms
asa623# sh run tunnel-group
tunnel-group 196.46.244.193 type ipsec-l2l
tunnel-group 196.46.244.193 ipsec-attributes
ikev1 pre-shared-key *****
asa623# sh run crypto map
crypto map IPSec_map 70 match address encrypt_vpn-2
crypto map IPSec_map 70 set peer 196.46.244.193
crypto map IPSec_map 70 set ikev1 transform-set ipsec-prop-air
crypto map IPSec_map interface outside
asa623# sh run crypto isakmp
asa623# debug crypto condition peer 196.46.244.193

Vinod Arya · ‎03-28-2014

This commnunity may not be the right choice for this issue, as this is for Network management Applications.

To get more security and FW experts, repost or transfer this to Security communty under appropriate categroy here:

https://supportforums.cisco.com/community/4561/security

-Thanks

Vinod

**Encourage Contributors.RATE them.**

-Thanks Vinod **Rating Encourages contributors, and its really free. **

View solution in original post

Vinod Arya · ‎03-28-2014

This commnunity may not be the right choice for this issue, as this is for Network management Applications.

To get more security and FW experts, repost or transfer this to Security communty under appropriate categroy here:

https://supportforums.cisco.com/community/4561/security

-Thanks

Vinod

**Encourage Contributors.RATE them.**

-Thanks Vinod **Rating Encourages contributors, and its really free. **

liladamson · ‎03-28-2014

I encounter problems recently setting up my ASA5505. I tried to create a new VPN (Site-to-Site), despite that the procedure was followed correctly, the command "sh crypto isakmp sa" does not display the new VPN profile. But I have other VPN (sa) that appears well, but the new ones do not appear. In order to create new ties for VPN services, I decided to acquire a new ASA5505 connects to the same server (both ASA are connected on the same server "Host"). But since I installed and configured the new ASA5505, my former ASA went down and now showing no active profile (asa# sh cry ips sa peer 41.202.220.2
There are no ipsec sas).
ASA # show crypto isakmp its There are no IKEv1 SAs There are no IKEv2