Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
537
Views
0
Helpful
0
Comments

One of the peers cannot establish the tunnel with ASA 5510

TCC_2
Level 10
Level 10

‎06-17-2009 10:08 PM - edited ‎03-08-2019 05:59 PM

Core issue

These could be among the reasons for this behavior:

  • An incorrect peer IP address defined in the crypto-map.

  • The same crypto access-list command might be bound with both the crypto-map entries on the Adaptive Security Appliance (ASA). As a result, the second crypto-map entry is never hit, since the traffic meant for the second peer is matching with the crypto access-list bound with the first crypto-map entry.

Resolution

To resolve this issue, verify that:

  • The peer IP is correct.

  • The access-list command bound with the separate crypto-map entries are different, so that the relevant access-list is hit, as shown:

access-list vpn1 permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn2 permit ip 192.168.3.0 255.255.255.0 192.168.2.0 255.255.255.0
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map IPsec_map 10 match address vpn1
crypto map IPsec_map 10 set peer 1.1.1.1
crypto map IPsec_map 10 set transform-set myset
crypto map IPsec_map 11 match address vpn2
crypto map IPsec_map 11 set peer 2.2.2.2
crypto map IPsec_map 11 set transform-set myset
crypto map IPsec_map interface outside

At this point, you should be able to pass traffic.

VPN Tunnel End Points

Any end point

VPN Protocols

IPSec

VPN Tunnel Initialization

IPSec session is not established

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents