Re: ikev1 tunnel stuck in qm_idle, end devices cannot ping

Jiten87 · ‎05-13-2020

Hello,

Diagram and configs are attached

I have two pcs on each end left to right: 10.1.1.2 and 10.2.2.2 and they cannot ping each other but the tunnels seem established, I think I am missing a NAT? Help!

Thank you.

jacline · ‎05-13-2020

Your crypto map is not applied to any interfaces. This is your issue.

qm_idle is what you want phase 1 to be in, you can look at phase 2 once the tunnel is established with 'show crypto ipsec sa'

See more troubleshooting here: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html

Jiten87 · ‎05-13-2020

On both ASAs i have the statement:

crypto map outside_map interface outside

Does it have to be actually on the interface (gi1/1, gi1/2, etc) itself?

Thank you.

Sheraz.Salim · ‎05-14-2020

if you are natting the traffic than you need a nat exempting rule for you vpn. share full configuration of the ASAs.

crypto ikev1 enable outside
!
object network Local-Lan
  subnet 10.1.1.0 255.255.255.0
!
object network Remote-Lan
 subnet 10.2.2.0 255.255.255.0
!
nat (inside,outside) source static Local-Lan Local-Lan destin static Remote-Lan Remote-Lan no-proxy-arp route-lookup
!

also share the debugs

debug crypto condition peer x.x.x.x
debug crypto ikev1
debug crypto ipsec 127

please do not forget to rate.