07-28-2021 04:28 AM
Hi,
I want to do the below setup
SITE TO SITE VPN PRIORITY
Priority 1 site1 192.168.2.0/24 site2 192.168.3.0/24
Priority 2 site1 192.168.2.0/24 site3 192.168.4.0/24
My question since the source (192.168.2.0/24) is same the traffic destined to 192.168.4.0/24 will hit the first one ?
and also
show crypto isakmp sa showing nothing
What does it mean
Thanks
07-28-2021 04:34 AM
It doesn't matter the source is the same, it's the destination that matters as far as Site1 ASA/router is concerned. In your example Site2 network is 192.168.3.0/24 and Site3 network is 192.168.4.0/24, so you can establish a tunnel from Site1 to both Site 2 and 3 at the same time.
"show crypto isakmp sa" won't show anything until interesting traffic has been sent and the ISAKMP/IKEv1 Security Associations (SAs) have been established.
07-28-2021 05:19 AM
Hi,
Let's say the destination side LAN (192.168.3.0/24) not reachable, so show crypto isakmp sa" won't show anything because there is no interesting traffic generated, Correct ?
In that case, how do we verify phase one and phase 2 are ok ?
Thanks
07-28-2021 05:28 AM
If the destination network 192.168.3.0/24 is unavailable, but the configuration on both peer devices is correct, a tunnel will be established, but there would be no response from the destination.
You will need to generate interesting traffic to troubleshoot connectivity. To check Phase 1 use "debug crypto isakmp" and to debug Phase 2 "debug crypto ipsec".
07-28-2021 02:10 PM
Hi,
debug crypto isakmp did not generate any log .
is there any command other than this , I want to run on a production asa
Thanks
07-28-2021 02:16 PM
You need to generate interesting traffic (as defined in the crypto ACL) for the VPN to establish and therefore generate debug events. If you still don't see any debug events, is crypto isakmp/ikev1/ikev2 even enabled?
Is logging enabled to the console, vty lines?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide