site to site VPN on ASA5510

Tiyanjane Nyirenda · ‎07-04-2013

I am creating a site to site VPN on my ASA5510.

When i run

sh crypto isakmp sa

am getting below message

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 168.167.98.187

Type : user Role : initiator

Rekey : no State : MM_WAIT_MSG2

what could be the issue?

Jouni Forss · ‎07-04-2013

Hi,

It means your ASA has sent the initial message for the VPN negotiation and has not received any reply.

Reasons might be

Something on your side is blocking the negotiation in front of the ASA. If you have other VPN connections this isnt very likely naturally
Something on the remote end is blocking the negotiation from reaching the remote end
Soemthing on the remote end is blocking the negotiation reply from reaching your device
The remote end has not configured its VPN setting properly. I would imagine this might be the most likely reason

The above are atleast some reasons.

Ask the remote end to confirm that they have VPN configurations related your ASAs peer IP.

Hope this helps

Please do remember to mark the reply as the correct answer if it answered your question.

Naturally ask more if needed

- Jouni

Tiyanjane Nyirenda · ‎07-04-2013

Jouni

Something on your side is blocking the negotiation in front of the ASA. If you have other VPN connections this isnt very likely naturally

of course i do have other VPN connection i have removed them but still seeing the same message. I will check with the remote end like suggested

Jouni Forss · ‎07-04-2013

Hi,

No need to remove any VPN configuration on your part. They shouldnt be related to this issue.

If the output of the above command is always the same when generating traffic for the L2L VPN connection then it would seem there is something wrong between your VPN devices or at the remote end VPN device as its not replying.

Let us know when you hear from the remote site.

- Jouni