05-19-2021 07:34 AM
Hello I have an ASA 5512 with 9.12(4)18
I want to establish S2S with AWS.
I have two public for the tunnels and the traffic is the same.
The requirement from AWS is that both tunnels are up.
I have configured using virtual interfaces, but only one is up.
I have used this link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200982-ASA-IPsec-VTI-connection-Amazon-Web-Serv.html
Any ideas?
Thanks and regards,
Konstantinos
Solved! Go to Solution.
05-19-2021 11:11 AM - edited 05-20-2021 12:34 AM
The output of "show crypto ipsec sa" isn't for either of the AWS peer addresses, as per the link you attached.
I'm referring to tunnel-groups for each of the AWS peer IP addresses (as defined in the AWS link above), you need to add these.
tunnel-group 52.34.205.227 type ipsec-l2l
tunnel-group 52.34.205.227 ipsec-attributes
ikev1 pre-shared-key xxxxxx
isakmp keepalive threshold 10 retry 10
tunnel-group 52.37.194.219 type ipsec-l2l
tunnel-group 52.37.194.219 ipsec-attributes
ikev1 pre-shared-key xxxxxx
isakmp keepalive threshold 10 retry 10
05-19-2021 07:51 AM - edited 05-19-2021 08:10 AM
@kostasthedelegate wrote:
I have two public for the tunnels and the traffic is the same.
You have two public what? Are you referring to two public IP addresses on the ASA?
On the ASA VPN traffic is terminated on the IP address assigned to a physical interface, do you have two outside interfaces?
The example you provided sourced traffic from the same source interface, but to two different destination IP addresses.
Provide your ASA configuration and the output of "show crypto ipsec sa"
05-19-2021 08:52 AM
05-19-2021 08:57 AM - edited 05-19-2021 09:00 AM
Ok, please provide the configuration and the output of "show crypto ipsec sa" and "show route"
05-19-2021 10:28 AM - edited 05-25-2021 10:13 PM
05-19-2021 10:35 AM
Is that all of it? I don't see the 2 tunnel-groups?
Output of "show crypto ipsec sa"???
05-19-2021 11:03 AM
It is in the attached crypto.txt
The tunnel is configured in the interfaces tunnel1 and tunnel2
05-19-2021 11:11 AM - edited 05-20-2021 12:34 AM
The output of "show crypto ipsec sa" isn't for either of the AWS peer addresses, as per the link you attached.
I'm referring to tunnel-groups for each of the AWS peer IP addresses (as defined in the AWS link above), you need to add these.
tunnel-group 52.34.205.227 type ipsec-l2l
tunnel-group 52.34.205.227 ipsec-attributes
ikev1 pre-shared-key xxxxxx
isakmp keepalive threshold 10 retry 10
tunnel-group 52.37.194.219 type ipsec-l2l
tunnel-group 52.37.194.219 ipsec-attributes
ikev1 pre-shared-key xxxxxx
isakmp keepalive threshold 10 retry 10
05-20-2021 06:14 AM
You saved me
I thought I had fixed it but possibly I had not saved it.
It works now. I fixed the routing and both are up
Thank you for the support
Regards,
Konstantinos
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide