Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
770
Views
0
Helpful
2
Replies

Unable to bring up Site2Site VPN on 2 ASA's both running 9.8(2)

sabbinanti
Level 1
Level 1

‎11-09-2019 03:53 PM

I have no idea why I can't get these two ASA is. Please find the attached Config. I have listed them as ASA A and ASA B.

 

ASA A is a 5508X and ASA B is a 5506X.

 

Some of the IP addresses have be obfuscated. Number have been replaced with letter...however they are consistent. For example if 123.321 was changed to RRR.SSS, it would always have been so.

 

Both systems are system with an NTP server so the time stamps on the debugs should be accurate.

 

The Config, the Show Crypto ISAKMP SA and the Show Crypto IKEv1 SA commands, and the results from debugging (debug crypto ikev1 127, debug crypto ipsec 127)

 

Any help would be greatly appreciated.

 

Thanks in advance!

Labels:
Preview file
132 KB
Preview file
79 KB
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎11-09-2019 04:15 PM

Hi,

From the output of "show crypto isakmp sa" both ASA have initated a VPN, but the state is "MM_WAIT_MSG2" which indicates the ASA is awaiting a response from the peer.

 

Can the ASAs ping each other?

Could there be a device in the path of the ASAs blocking UDP/500?

 

HTH

0 Helpful

sabbinanti
Level 1
Level 1
In response to Rob Ingram

‎11-09-2019 05:19 PM

Thanks for the response. Between them is the public Internet. I can run IPSec VPN (RA) through each Firewall. So I don’t think there is anything blocked. 

Thanks in advance. 

0 Helpful
Customers Also Viewed These Support Documents