Share Config that might Help

Dear JouniForss,

I tried to use with "show run crypto" already it showed only the crypto map and some other configuration but not show any policy number that i need please check below what i have show on My ASA

#show run crypto

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 4 match address IMTELCO_to_Smart

crypto map outside_map 4 set peer x.x.x.x

crypto map outside_map 4 set transform-set ESP-3DES-SHA

crypto map outside_map 4 set security-association lifetime seconds 28800

crypto map outside_map 5 match address IMTELCO_to_Hello

crypto map outside_map 5 set peer x.x.x.x

crypto map outside_map 5 set transform-set ESP-3DES-SHA

crypto map outside_map 5 set security-association lifetime seconds 28800

crypto map outside-map 6 match address IMTELCO_to_f1soft

crypto map outside-map 6 set peer x.x.x.x

crypto map outside-map 6 set transform-set ESP-3DES-SHA

crypto map outside-map 6 set security-association lifetime seconds 86400

crypto map outside-map 20 match address IMTELCO-to-Metfone

crypto map outside-map 20 set pfs

crypto map outside-map 20 set peer x.x.x.x

crypto map outside-map 20 set security-association lifetime seconds 3600

crypto map outside-map interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto map outside-map 20 match address IMTELCO-to-Metfone

crypto map outside-map 20 set pfs

crypto map outside-map 20 set peer x.x.x.x

(Missing )crypto map outside-map 20 set transform-set

crypto map outside-map 20 set security-association lifetime seconds 3600

Do Rate Helpful Posts

Hi,

That command should list the "crypto isakmp policy" configurations if there is any on the ASA.

I cant think of a reason for it not showing them unless its some sort of bug. What is your ASA software?

If you simply use "show run" command can you see any of them?

Are all the previous L2L VPN connections working? They shouldnt be working if you dont have any Phase1 policys configured.

- Jouni

Hello ,

this is my updated configuration On my ASA and please note that my ASA-5510 is version 8.2

ImtelcoASA2# show running-config crypto isakmp

crypto isakmp identity address

crypto isakmp enable outside

ImtelcoASA2# show running-config crypto

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 4 match address IMTELCO_to_Smart

crypto map outside_map 4 set peer x.x.x.x

crypto map outside_map 4 set transform-set ESP-3DES-SHA

crypto map outside_map 4 set security-association lifetime seconds 28800

crypto map outside_map 5 match address IMTELCO_to_Hello

crypto map outside_map 5 set peer x.x.x.x

crypto map outside_map 5 set transform-set ESP-3DES-SHA

crypto map outside_map 5 set security-association lifetime seconds 28800

crypto map outside-map 6 match address IMTELCO_to_f1soft

crypto map outside-map 6 set peer x.x.x.x

crypto map outside-map 6 set transform-set ESP-3DES-SHA

crypto map outside-map 6 set security-association lifetime seconds 86400

crypto map outside-map 20 match address IMTELCO-to-Metfone

crypto map outside-map 20 set pfs

crypto map outside-map 20 set peer x.x.x.x

crypto map outside-map 20 set transform-set ESP-3DES-SHA

crypto map outside-map 20 set security-association lifetime seconds 3600

crypto map outside-map interface outside

crypto isakmp identity address

crypto isakmp enable outside

ImtelcoASA2#

Hi,

If you want to go through the whole Running Configuration of the ASA you can use the command

"sh run | begin crypto isakmp policy"

That should begin showing the configuration when it finds a configuration line matching to "crypto isakmp policy"

Is any of your L2L VPN actually working at the moment?

Does the commad "show crypto isakmp sa" show anything?

- Jouni

Dear all,

Please check on this it nothing to show but at my partner peer thire tunnel is up and we can ping each other

ImtelcoASA2# show run | begin crypto isakmp policy

ImtelcoASA2# show run | begin crypto isakmp policy

ImtelcoASA2# sho

ImtelcoASA2# show cryp

ImtelcoASA2# show crypto is

ImtelcoASA2# show crypto isakmp sa

There are no isakmp sas

ImtelcoASA2#

Hi,

I'm not quite sure what the situation is.

You have no isakmp SAs which would mean the current device doesnt have ANY VPN connections Active at the moment.

And if everything is working it should mean that the VPN connections are on some other device than this ASA in question.

- Jouni

There's nothing unusual in it. Isakmp sa may time out after the tunnel is established and lifetime of isakmp sa is expired. So you may have situations, where ipsec SAs, wich used for actual traffic protection, are established and at the same time there's no isakmp SAs.

I would imagine seeing something with the "show crypto isakmp sa" output if you have an Active L2L VPN or IPsec VPN Client connection.

For example one of our devices currently has 20 Active L2L VPN connections and naturally also 20 matching outputs in "show crypto isakmp sa"

- Jouni

Jouni, i think it's possible to have ipsec sa but no isakm sa in case, where isakmp sa lifetime is shorter then ipsec sa lifetime. Probably it's not good solution, cause ipsec rekey may fail if by the time of rekey there's no isakmp sa, but  it might happen.

Hello every ONE,

So what going on for my connection? what should i do next? and i have any wrong poin need to change ,please every tell me what is the solution for the current situation?

warm regard,

ping,

Hello Everyone,

Now i got one up, but it only one showed up, after i recreated crypto isakmp policy for all 4 connection and then i try to show policy again actualy it show only 2 policy then it just working for on peer as show below:

#show run crypto isakmp policy

crypto isakmp policy 4

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 6

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 28800

ImtelcoASA2# show vpn-sessiondb

Active Session Summary

Sessions:

                           Active : Cumulative : Peak Concurrent : Inactive

  SSL VPN               :       0 :          0 :               0

    Clientless only     :       0 :          0 :               0

    With client         :       0 :          0 :               0 :        0

  Email Proxy           :       0 :          0 :               0

  IPsec LAN-to-LAN      :       1 :        423 :               2

  IPsec Remote Access   :       0 :          0 :               0

  VPN Load Balancing    :       0 :          0 :               0

  Totals                :       1 :        423

License Information:

  IPsec   :    250    Configured :    250    Active :      1    Load :   0%

  SSL VPN :      2    Configured :      2    Active :      0    Load :   0%

                            Active : Cumulative : Peak Concurrent

  IPsec               :          1 :        423 :               2

  SSL VPN             :          0 :          0 :               0

    AnyConnect Mobile :          0 :          0 :               0

    Linksys Phone     :          0 :          0 :               0

  Totals              :          1 :        423

Tunnels:

               Active : Cumulative : Peak Concurrent

  IKE    :          1 :        423 :               2

  IPsec  :          1 :         16 :               1

  Totals :          2 :        439

Active NAC Sessions:

  No NAC sessions to display

Active VLAN Mapping Sessions:

  No VLAN Mapping sessions to display

ImtelcoASA2#

ImtelcoASA2# show crypto isakmp

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: x.x.x.1

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

any one have any idia ?please share if have,

warm regard,

ping,