Hello everyone,

Currently have a really big problem with a site that I am unable to get going at the moment.

We have a HUB ASA5505 SEC+ with a few other ASA's connected to it via L2L VPN. We have 1 active Static L2L, 1 Active Dynamic L2L, and I'm currently trying to add a Second Static L2L Tunnel.

I verified that each WAN Interface can ping each other, and both devices have full internet connectivity. There is no double nat or content filtering going on either. I did notice that my Cisco Remote Access VPN Client won't connect properly through the ASA despite full internet connectivity, but when I connect directly to the modem I was able to connect properly. So apparently the ISP isn't blocking IPSEC traffic AFAIK.

Static2 is currently using a Temporary TAC License since our license is currently awaiting arrival, but a show version output shows that all VPN/3des features are enabled.

Here are the configs:

hostname HUB-ASA5505
domain-name xxxxxxx.local
enable password xxxxxxxxxxx
names
name 192.168.9.50 xxxxxxxxx
name 192.168.9.51 xxxxxxxxx description xxxxxxxxxx
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.9.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xxxxxxxxxxxxx 255.255.255.248
!
interface Vlan3
nameif dmz
security-level 50
ip address 10.10.9.1 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd xxxxxxxxxxxx
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server xxxxxxxxxx
name-server xxxxxxxxxxxxxxx
domain-name xxxxxxxxxxxx.local
same-security-traffic permit intra-interface
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list 101 extended permit icmp any any
access-list split standard permit 192.168.0.0 255.255.0.0
access-list to_static1 extended permit ip 192.168.0.0 255.255.0.0 192.168.14.0 255.255.255.0
access-list to_static2 extended permit ip 192.168.0.0 255.255.0.0 192.168.16.0 255.255.255.0     <<< This is the problem tunnel
access-list RTP extended permit udp any any range 10000 20000
access-list RTP extended permit tcp any any range 10000 20000
pager lines 24
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool RA-Pool 192.168.99.1-192.168.99.126 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 75.146.188.94 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 20 set transform-set ESP-3DES-SHA
crypto map outside_map 10 match address to_static1
crypto map outside_map 10 set peer xxxxxxxxxx
crypto map outside_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 11 match address to_static2               <<<<
crypto map outside_map 11 set peer xxxxxxxxxxxxx                 <<<<< Problem Tunnel
crypto map outside_map 11 set transform-set ESP-3DES-SHA   <<<<<
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 192.168.9.101-192.168.9.199 inside
dhcpd dns 192.168.9.2 xxxxxxxxxxx interface inside
dhcpd domain xxxxxxxxx.local interface inside
dhcpd option 66 ip xxxxxxxx interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map type inspect sip default_sip
parameters
  max-forwards-validation action drop log
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect rtsp
  inspect sip default_sip
!
service-policy global_policy global
group-policy xxxxx-RA internal
group-policy xxxxx-RA attributes
dns-server value 192.168.9.2 xxxxxxxxxxxxx
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value xxxxxxxxx.local
nem enable
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group xxxxx-RA type remote-access
tunnel-group xxxxxx-RA general-attributes
address-pool RA-Pool
default-group-policy xxxxx-RA
tunnel-group xxxxxx-RA ipsec-attributes
pre-shared-key *
tunnel-group STATIC2_WANIP type ipsec-l2l            <<<<<< Problem tunnel
tunnel-group STATIC2_WANIP ipsec-attributes      <<<<<<<<
pre-shared-key *
tunnel-group STATIC1_WANIP type ipsec-l2l
tunnel-group STATIC1_WANIP ipsec-attributes
pre-shared-key *
prompt hostname context

and....

hostname STATIC2-ASA5505
domain-name xxxxxxxx.local
enable password xxxxxxxxxx
passwd xxxxxxxxxxx
names
!
interface Ethernet0/0
switchport access vlan 3
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
switchport access vlan 2
!
interface Ethernet0/3
switchport access vlan 2
!
interface Ethernet0/4
switchport access vlan 2
!
interface Ethernet0/5
switchport access vlan 2
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport trunk allowed vlan 1-2
switchport trunk native vlan 1
switchport mode trunk
!
interface Vlan1
nameif dmz
security-level 50
ip address 10.10.0.1 255.255.255.0
!
interface Vlan2
nameif inside
security-level 100
ip address 192.168.16.1 255.255.255.0
!
interface Vlan3
nameif outside
security-level 0
ip address xxxxxxxxxxx 255.255.254.0
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server xxxxxxxxxx
name-server xxxxxxxxxx
domain-name xxxxxxxxxx.local
access-list to_hq extended permit ip 192.168.16.0 255.255.255.0 192.168.0.0 255.
255.0.0
access-list nonat extended permit ip 192.168.16.0 255.255.255.0 192.168.0.0 255.
255.0.0
pager lines 24
mtu dmz 1500
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400

route outside 0.0.0.0 0.0.0.0 xxxxxxxxxxx
global (outside) 1 interface
nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map cmap1 10 match address to_hq
crypto map cmap1 10 set peer xxxxxxxxxxxxxx
crypto map cmap1 10 set transform-set ESP-3DES-SHA
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd dns 192.168.9.2 xxxxxxxxxxxx
!
dhcpd address 10.10.0.100-10.10.0.199 dmz
dhcpd lease 10800 interface dmz
dhcpd enable dmz
!
dhcpd address 192.168.16.101-192.168.16.131 inside
dhcpd lease 10800 interface inside
dhcpd domain xxxxxxxxxx.local interface inside
dhcpd option 66 ip 192.168.9.50 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group HUB_WANIP type ipsec-l2l
tunnel-group HUB_WANIP ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
prompt hostname context

Any help is appreciated