04-14-2015 06:40 PM
Hi ALL,
I am facing an issue that the VPN is down after running for few hours.
It happens after migrating to new WAN connection.
It will back to normal if revert back to existing WAN connection
I found that it shows different encryption and hash with what I configured.
asa(config)# sh run crypto isakmp
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
asa(config)# sh cry
asa(config)# sh crypto is
asa(config)# sh crypto isakmp sa det
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 185.146.223.162
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 0
Kindly advise.
Thank you
04-19-2015 10:43 PM
Hi ALL,
Anybody can help?
Thank you.
04-20-2015 12:24 AM
hi,
the status of your IKEv1 (MM_WAIT_MSG2) means it wasn't successful.
you should see "MM_ACTIVE" for established IPsec VPN peering.
did you configure the new public IP address on the remote VPN peer on its crypto map?
kindly post sanitized config from both VPN peers.
04-20-2015 10:01 AM
04-20-2015 10:01 AM
Hello,
if 218.98.128.178 is the new IP, your local ASA is still pointing at 185.146.223.162.
you need to change the configuration of the tunnel on your side.
remember to create the tunnel-group and change the peer on the crypto map.
let me know if that helps-
04-20-2015 10:19 AM
Hi,
185.186.223.162 is remote peer IP address.
The attached is branch asa config.
The remote site is HQ which is using SonicWALL.
218.98.128.178 is the current public IP which works fine in VPN.
For new public IP, I only change the interface vlan 2 IP address and default routing.
As for remote site, I will point to new IP.
But I have VPN issue after migrating to new public IP.
04-20-2015 10:23 AM
Hi,
enable crypto on the outside.
crypto map outside_map interface outside
04-20-2015 10:28 AM
Hi,
Sorry I accidentally deleted in attached file. Actually it is there.
04-20-2015 10:34 AM
Well the configuration on your side looks good, but you are sending the request and the replay is not coming back.
is the sonic wall already pointing at 218.98.128.178? make sure it also supports 3des and md5 for phase 1.
04-20-2015 10:37 AM
also your next hub IP is probably not right
route outside 0.0.0.0 0.0.0.0 219.95.126.177 1
can you ping 4.2.2.2 from the ASA?
04-20-2015 10:45 AM
Hi,
It is correct.
Can Ping.
route outside 0.0.0.0 0.0.0.0 218.98.128.177 1
04-20-2015 11:21 AM
ok i guess the config was just not updated.
what shows on the command is not the problem.
lets get a capture;
cap cap interface outside match ip host 218.98.128.178 host 185.146.223.162
try to send traffic in order to bind the tunnel and get;
#show cap cap
then also export the capture. https://218.98.128.178/capture/cap/pcap
save it and attach it here.
what we are probably going to see is one way traffic. probably peer does not know how to get to 218.98.128.178, or the ISP could be blocking UPD 500.
04-20-2015 10:39 AM
Hi,
It is pointing to new.
But just when I do sh crypto isakmp sa det
Encrypt : aes-256 Hash : SHA
It shows different encryption.
Is it normal?
04-20-2015 12:03 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide