Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1212
Views
5
Helpful
3
Replies

VPN not initiated and no debug logs

Go to solution
AZaburdyayev
Level 1
Level 1

‎04-18-2019 02:41 AM

Good day everyone. I faced with strange issue. My IPSEC tunnel won't initialise.
My initial data are following:
1. HQ ASA 5515 - 9.8(2)38 Security Plus license
2. BO ASA 5510 - 9.1(7)32 Base license
On both sides I configured L2L IPSEC VPN. Both sides have conectivity and able to ping each other.
On both sides have strong encryption.

I try to initiate VPN from HQ side by pinging host in BO. But do not get response(but I expect it).
I create on ASA capture, I see my ping reqests on internal side(inside interface). On Outside interface I do not see packets to BO asa. I check this by creating capture.
VPN was configured in text file first(to check all paramters) and then moved to device. After all I reboot both devices. Still no VPN connectifity and no logs in debug
deb crypto ikev2 protocol 7
deb crypto ipsec 7
Nothing logged in console. term mon enabled logging monitor debug.

It seems I do not configure something, but I do not see any errors.
Any suggestions ?

 

Labels:
Preview file
2 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-18-2019 02:45 AM

Hi,
You haven't included it in your configuration output, but please can you check to see if you have ikev2 protocol enabled in your Group Policy and whether ikev2 is enabled on the outside interface. E.g:-

group-policy x.x.x.x attributes
vpn-tunnel-protocol ikev2

crypto ikev2 enable OUTSIDE

If you do have this configured please run packet-trace and upload the output

HTH

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎04-18-2019 02:45 AM

Hi,
You haven't included it in your configuration output, but please can you check to see if you have ikev2 protocol enabled in your Group Policy and whether ikev2 is enabled on the outside interface. E.g:-

group-policy x.x.x.x attributes
vpn-tunnel-protocol ikev2

crypto ikev2 enable OUTSIDE

If you do have this configured please run packet-trace and upload the output

HTH

Go to solution
AZaburdyayev
Level 1
Level 1
In response to Rob Ingram

‎04-18-2019 03:13 AM

I have following in config:

crypto ikev2 enable outside

group-policy HQ-TUNNEL internal
group-policy HQ-TUNNEL attributes
vpn-idle-timeout 3600
vpn-tunnel-protocol ikev2
pfs enable

 

tunnel-group HQ_PUBLIC_IP general-attributes
default-group-policy HQ-TUNNEL

 

God bless packet-tracer. My issue was in access list on inside interface. All hosts with access to internet was routed though secondary internet link(and do not initiate vpn), hosts without internet access and access to secondary lan was dropped.

 

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni

‎04-18-2019 03:02 AM

Hi,

The mentioned configuration looking that Crypto Ikev2 is not enabled on the outside interface? is it?

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Customers Also Viewed These Support Documents