07-02-2019 05:15 PM
I have two ASA 5506-X at two different sites and site to site VPN is not working.
I can ping the outside interface of both the ASA's from each other.
When I DO show crypto isakmp sa , nothing is in there.
How do I troubleshoot
Solved! Go to Solution.
07-02-2019 08:07 PM
07-02-2019 10:01 PM
07-02-2019 06:45 PM
07-02-2019 07:43 PM
07-02-2019 07:44 PM
When I run debug crypto ikev1, nothing appears on the ssh session, even though I have terminal monitor
07-02-2019 08:07 PM
07-02-2019 08:59 PM
07-02-2019 10:01 PM
07-03-2019 07:51 AM
Thanks a lot GRANT, it's working now.
It's strange the NAT order was preventing from PHASE1 to initiate or come up.
After doing the packet-tracer command, packet-tracer input inside icmp 10.106.55.2 8 0 10.106.57.8, as you mentioned it was going through PAT first.
Changed the NAT statement to number 1, and then PHASE1 and PHASE2 started working ON ASA1.
Then had to do the same ON ASA2 as the other side was not able to access the resources.
After changing the NONAT site to site statements, both the sides are now able to access the resources and site to site tunnel is up.
Thanks a lot and appreciate all of you guys.
07-03-2019 07:58 AM
07-02-2019 08:25 PM
07-02-2019 07:29 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide