site to site vpn

harsha003 · ‎01-21-2016

Hi All,

i trying to configure site to site vpn from cisco router to cisco asa, but tunnel is not comming up. i have attached router config and logs of debug.

my remote site IP is 178.210.103.194, But in log it's showing remote IP as 71.6.167.142.

kindly assist me to resolve this issue. Thanks in advance.

Regards,

Harsha

carlguer · ‎01-21-2016

Hi Harsha,

According to the log:

*Jan 20 14:32:03.448: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 71.6.167.142

It looks like you are not able to initiate the tunnel because the settings for Phase 1 are not matching on both ends.

harsha003 · ‎01-21-2016

Hi Carlguer,

thanks for the response, but if you go through attached router file, i have never configured 71.6.167.142 IP address neither in my router nor asa FW. but i am surprised to see those log wherein those encryption and sha algorithm are also different.

richard-cisco-hp · ‎01-22-2016

you can tracert route or please peer network admin to confirm if there are multilink or route issue,maybe your packet go into one link but go out from another link

harsha003 · ‎01-22-2016

Hi All,

thanks for your support. PFS group was not enabled in router and NAT exemption was not properly done.

Problem Description

================

VPN tunnel not coming up.

Action Taken

==========

++NAT exemption was missing added that.

++PFS was missing on the ISR for the intended peer, added the same.

Regards,

Harsha