Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
5
Helpful
8
Replies

Two same tunnels up

Go to solution
kostasthedelegate
Level 4
Level 4

‎05-19-2021 07:34 AM

Hello I have an ASA 5512 with 9.12(4)18

 

I want to establish S2S with AWS. 

I have two public for the tunnels and the traffic is the same. 

The requirement from AWS is that both tunnels are up. 

I have configured using virtual interfaces, but only one is up.

 

I have used this link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/200982-ASA-IPsec-VTI-connection-Amazon-Web-Serv.html

 

Any ideas?

 

Thanks and regards, 

Konstantinos

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to kostasthedelegate

‎05-19-2021 11:11 AM - edited ‎05-20-2021 12:34 AM

The output of "show crypto ipsec sa" isn't for either of the AWS peer addresses, as per the link you attached.

 

I'm referring to tunnel-groups for each of the AWS peer IP addresses (as defined in the AWS link above), you need to add these.

 

tunnel-group 52.34.205.227 type ipsec-l2l
tunnel-group 52.34.205.227 ipsec-attributes
 ikev1 pre-shared-key xxxxxx
 isakmp keepalive threshold 10 retry 10
tunnel-group 52.37.194.219 type ipsec-l2l
tunnel-group 52.37.194.219 ipsec-attributes
 ikev1 pre-shared-key xxxxxx
 isakmp keepalive threshold 10 retry 10

 

View solution in original post

8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎05-19-2021 07:51 AM - edited ‎05-19-2021 08:10 AM

@kostasthedelegate 

@kostasthedelegate wrote:

I have two public for the tunnels and the traffic is the same. 

 

You have two public what? Are you referring to two public IP addresses on the ASA?

On the ASA VPN traffic is terminated on the IP address assigned to a physical interface, do you have two outside interfaces?

 

The example you provided sourced traffic from the same source interface, but to two different destination IP addresses.

 

Provide your ASA configuration and the output of "show crypto ipsec sa"

0 Helpful

Go to solution
kostasthedelegate
Level 4
Level 4

‎05-19-2021 08:52 AM

Hello @Rob Ingram 

 

My bad!
The two public IP are on the destination

I have one public IP on my end

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to kostasthedelegate

‎05-19-2021 08:57 AM - edited ‎05-19-2021 09:00 AM

Ok, please provide the configuration and the output of "show crypto ipsec sa" and "show route"

0 Helpful

Go to solution
kostasthedelegate
Level 4
Level 4

‎05-19-2021 10:28 AM - edited ‎05-25-2021 10:13 PM

Hello, 

 

I have attached the output of the crypto



Preview file
6 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to kostasthedelegate

‎05-19-2021 10:35 AM

Is that all of it? I don't see the 2 tunnel-groups?

 

Output of "show crypto ipsec sa"???

0 Helpful

Go to solution
kostasthedelegate
Level 4
Level 4

‎05-19-2021 11:03 AM

It is in the attached crypto.txt

The tunnel is configured in the interfaces tunnel1 and tunnel2

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to kostasthedelegate

‎05-19-2021 11:11 AM - edited ‎05-20-2021 12:34 AM

The output of "show crypto ipsec sa" isn't for either of the AWS peer addresses, as per the link you attached.

 

I'm referring to tunnel-groups for each of the AWS peer IP addresses (as defined in the AWS link above), you need to add these.

 

tunnel-group 52.34.205.227 type ipsec-l2l
tunnel-group 52.34.205.227 ipsec-attributes
 ikev1 pre-shared-key xxxxxx
 isakmp keepalive threshold 10 retry 10
tunnel-group 52.37.194.219 type ipsec-l2l
tunnel-group 52.37.194.219 ipsec-attributes
 ikev1 pre-shared-key xxxxxx
 isakmp keepalive threshold 10 retry 10

 

Go to solution
kostasthedelegate
Level 4
Level 4

‎05-20-2021 06:14 AM

@Rob Ingram 

You saved me

I thought I had fixed it but possibly I had not saved it. 

 

It works now. I fixed the routing and both are up

 

Thank you for the support

Regards, 

Konstantinos

0 Helpful
Customers Also Viewed These Support Documents