Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
347
Views
10
Helpful
5
Replies

site to site vpn priority

bluesea2010
Level 5
Level 5

‎07-28-2021 04:28 AM

Hi,
I want to do the below setup


SITE TO SITE VPN PRIORITY


Priority 1 site1 192.168.2.0/24 site2 192.168.3.0/24
Priority 2 site1 192.168.2.0/24 site3 192.168.4.0/24

My question since the source (192.168.2.0/24) is same the traffic destined to 192.168.4.0/24 will hit the first one ?

 

and also 

show crypto isakmp sa showing nothing 

What does it mean 

Thanks

 

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎07-28-2021 04:34 AM

@bluesea2010 

It doesn't matter the source is the same, it's the destination that matters as far as Site1 ASA/router is concerned. In your example Site2 network is 192.168.3.0/24 and Site3 network is 192.168.4.0/24, so you can establish a tunnel from Site1 to both Site 2 and 3 at the same time.

 

"show crypto isakmp sa" won't show anything until interesting traffic has been sent and the ISAKMP/IKEv1 Security Associations (SAs) have been established.

bluesea2010
Level 5
Level 5
In response to Rob Ingram

‎07-28-2021 05:19 AM

Hi,

Let's say the destination side   LAN (192.168.3.0/24) not reachable, so show crypto isakmp sa" won't show anything because there is no interesting traffic generated, Correct ? 

In that case, how do we verify phase one and phase 2 are ok ? 

 

Thanks 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to bluesea2010

‎07-28-2021 05:28 AM

@bluesea2010 

If the destination network 192.168.3.0/24 is unavailable, but the configuration on both peer devices is correct, a tunnel will be established, but there would be no response from the destination.

 

You will need to generate interesting traffic to troubleshoot connectivity. To check Phase 1 use "debug crypto isakmp" and to debug Phase 2 "debug crypto ipsec".

bluesea2010
Level 5
Level 5
In response to Rob Ingram

‎07-28-2021 02:10 PM

Hi,

debug crypto isakmp did not generate any log  .

is there any command other than this , I want to run on a production  asa 

Thanks 

0 Helpful

Rob Ingram
VIP
VIP
In response to bluesea2010

‎07-28-2021 02:16 PM

@bluesea2010 

You need to generate interesting traffic (as defined in the crypto ACL) for the VPN to establish and therefore generate debug events. If you still don't see any debug events, is crypto isakmp/ikev1/ikev2 even enabled?

Is logging enabled to the console, vty lines?

0 Helpful
Customers Also Viewed These Support Documents