11-23-2010 11:06 AM - edited 02-21-2020 04:59 PM
Hello All,
I'm trtying to connect two sites together with an IPSec VPN tunnel between a couple of 5505s. I used the Wizard tool from the ASDM GUI and I am not able to get the two sites talking. What commands can I use to troubleshoot this problem from the "Command Line" menu option, or CLI? I have become more of a GUI guy since I began administering these ASA's, but I'm not opposed to using CLI. I just need a little bit of guidance on what I should be looking for while troubleshooting.
I have remote access to both ASA's from my desk and while reviewing the Syslog messages I see that Site A (56.X) is logging this message: "IP=X.X.X.X, Error: Unable to remove PeerTblEntry" and "IP=X.X.X.X, Removing peer from peer table failed, no match!". Where "X.X.X.X = Site B's outside IP address. Site B (92.X) Syslog messages are not saying anything about Site A at all.
Please let me know what information is needed to better understand my problem. I appreciate any help, Thanks!!
Joey
11-23-2010 11:15 AM
Hi Joey,
Verify IP connectivity between both sites (perhaps a PING).
Also, use this commands:
debug cry isa 127
debug cry ips 127
They will show us if there's any problem with the VPN.
Federico.
11-23-2010 01:58 PM
I can PING the outside IP across the WAN from both sides to each other. I cannot PING the inside, or protected
networks like 192.168.92.X and 192.168.56.X.
I can't run the command "debug cry isa 127" from the ASDM GUI. Any other suggestions?
Thanks
11-23-2010 02:02 PM
Well... if you can't PING the protected networks most likely is because the VPN is not establishing correctly.
In order to find why I was suggesting the above commands (as you mentioned you can run them in CLI).
If have access only to ASDM maybe you can get a copy of the configuration for us to check it out.
Federico.
11-23-2010 03:20 PM
Sorry about the late reply, but I have copied my running config from both sites into a notepad for your review. Site A would
be the 192.168.56.X network with an outside IP of X.X.52.61. Site B would be the 192.168.92.X network with an outside IP of X.X.53.105. I thought it'd be better to be safe and remove the outside WAN information and the encrypted password fields. : )
Let me know if you see anything that would help.
My research online is pointing to a NAT issue with one or both configurations.
Thank you,
Joey
11-23-2010 04:01 PM
Hi joey,
The errors that you are seeing are generated due to Phase 1 faileur ( isakmp ). I think your ASA ( site B ) doesnot support aes-256 for encryption on phase 1. can you please create an policy on the site B with following encryption/hash etc and retest your connection ( you Nat appears fine to me BTW ).
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
If you are configuring using ASDM then :-
Configuration > Site-to-Site VPN > Advanced > IKE Policies
click add tab and enter above mentioned values.
Manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide