Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
807
Views
0
Helpful
5
Replies

Site-Site IPSec VPN Problems - Help?

losbanosit
Level 1
Level 1

‎11-23-2010 11:06 AM - edited ‎02-21-2020 04:59 PM

Hello All,

I'm trtying to connect two sites together with an IPSec VPN tunnel between a couple of 5505s.  I used the Wizard tool from the ASDM GUI and I am not able to get the two sites talking.  What commands can I use to troubleshoot this problem from the "Command Line" menu option, or CLI?  I have become more of a GUI guy since I began administering these ASA's, but I'm not opposed to using CLI.  I just need a little bit of guidance on what I should be looking for while troubleshooting.

I have remote access to both ASA's from my desk and while reviewing the Syslog messages I see that Site A (56.X) is logging  this message: "IP=X.X.X.X, Error: Unable to remove PeerTblEntry"     and    "IP=X.X.X.X, Removing peer from peer table failed, no match!".  Where "X.X.X.X = Site B's outside IP address.  Site B (92.X) Syslog messages are not saying anything about Site A at all.

Please let me know what information is needed to better understand my problem.  I appreciate any help, Thanks!!

Joey

Labels:
0 Helpful
5 Replies 5

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎11-23-2010 11:15 AM

Hi Joey,

Verify IP connectivity between both sites (perhaps a PING).

Also, use this commands:

debug cry isa 127

debug cry ips 127

They will show us if there's any problem with the VPN.

Federico.

0 Helpful

losbanosit
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-23-2010 01:58 PM

I can PING the outside IP across the WAN from both sides to each other.  I cannot PING the inside, or protected

networks like 192.168.92.X and 192.168.56.X.

I can't run the command "debug cry isa 127" from the ASDM GUI.  Any other suggestions?

Thanks

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to losbanosit

‎11-23-2010 02:02 PM

Well... if you can't PING the protected networks most likely is because the VPN is not establishing correctly.

In order to find why I was suggesting the above commands (as you mentioned you can run them in CLI).

If have access only to ASDM maybe you can get a copy of the configuration for us to check it out.

Federico.

0 Helpful

losbanosit
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-23-2010 03:20 PM

Sorry about the late reply, but I have copied my running config from both sites into a notepad for your review.  Site A would

be the 192.168.56.X network with an outside IP of X.X.52.61.  Site B would be the 192.168.92.X network with an outside IP of X.X.53.105.  I thought it'd be better to be safe and remove the outside WAN information and the encrypted password fields.  : )

Let me know if you see anything that would help.

My research online is pointing to a NAT issue with one or both configurations.

Thank you,

Joey

75843-Site B.txt.zip
0 Helpful

manish arora
Level 6
Level 6
In response to losbanosit

‎11-23-2010 04:01 PM

Hi joey,

The errors that you are seeing are generated due to Phase 1 faileur ( isakmp ). I think your ASA ( site B ) doesnot support aes-256 for encryption on phase 1. can you please create an policy on the site B with following encryption/hash etc and retest your connection ( you Nat appears fine to me BTW ).

crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400

If you are configuring using ASDM then :-

Configuration > Site-to-Site VPN > Advanced > IKE Policies

click add tab and enter above mentioned values.

Manish

0 Helpful
Customers Also Viewed These Support Documents