Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3635
Views
10
Helpful
5
Replies

Why i cannot use l2l on our ASA(s) ?

sendtomela1
Level 1
Level 1

‎11-09-2016 06:03 AM

Hi,

I have received a task to config two ASA to build site-to-site connections. I used to finish it successfully, but no luck this time, and i don't understand how this happened.

I can input every commands , but only not this one, on both ASA:

asa(config)# tunnel-group x.x.x.x type ipsec-l2l
                                                        ^
ERROR: % Invalid input detected at '^' marker.

asa(config)# tunnel-group x.x.x.x ?

configure mode commands/options:
general-attributes Enter the general-attributes sub command mode
ipsec-attributes Enter the ipsec-attributes sub command mode

There is no "type" . It is not available.

Would you please advise how can i solve this problem? Thanks.

ASA versions:

ASA (a)

Cisco Adaptive Security Appliance Software Version 9.2(4)
Device Manager Version 7.2(1)

Compiled on Tue 14-Jul-15 22:19 by builders
System image file is "disk0:/asa924-k8.bin"
Config file at boot was "startup-config"

asa up 187 days 22 hours

Hardware: ASA5505, 1024 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 2048MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB

ASA(B)

Cisco Adaptive Security Appliance Software Version 9.2(2)4
Device Manager Version 7.3(1)

Compiled on Tue 29-Jul-14 22:39 by builders
System image file is "disk0:/asa922-4-k8.bin"
Config file at boot was "startup-config"

danielASA up 8 days 5 hours

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

1 person had this problem
Labels:
5 Replies 5

Georg Pauwen
VIP
VIP

‎11-09-2016 11:08 AM

The ASA must be in single routed mode in order to configure the tunnel group parameters.

ASA(config)# mode single

0 Helpful

Georg Pauwen
VIP
VIP
In response to Georg Pauwen

‎11-09-2016 11:17 AM

When you issue the above command, the ASA reboots. Make sure you backup your config before entering that command:

ASA(config)# copy flash:old_running.cfg startup-config

0 Helpful

sendtomela1
Level 1
Level 1
In response to Georg Pauwen

‎11-09-2016 10:41 PM

Hi gpauwen,

Tried but failed..

ASA(config)# mode single
                        ^
ERROR: % Invalid input detected at '^' marker.

Any other hints?

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to sendtomela1

‎11-09-2016 10:45 PM

This means that you have already  defined the tunnel-group related to IP X.X.X.X.

Execute "show run tunnel-group" and you will be able to see that.


Here is the output from my lab ASA

ciscoasa(config)# tunnel-group 1.1.1.1 type ipsec-l2l
ciscoasa(config)#
ciscoasa(config)# tunnel-group 1.1.1.1 ?

configure mode commands/options:
general-attributes Enter the general-attributes sub command mode
ipsec-attributes Enter the ipsec-attributes sub command mode
ciscoasa(config)#
ciscoasa(config)# show run tunnel-group
tunnel-group 1.1.1.1 type ipsec-l2l

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Georg Pauwen
VIP
VIP
In response to Dinesh Moudgil

‎11-10-2016 12:20 AM

Hello,

Dinesh is probably right on the money. 

On a side note, make sure your privilege level is high enough. As an admin, you would usually have level 15.

0 Helpful
Customers Also Viewed These Support Documents