Re: ASA Site to Site IP Sec tunnel problem

Show route? Got outside routes?

Make sure you can ping between the outside interfaces...

Also, I think your nat zero's are not working. Try them again.

You should do the ccnp before you do the ccie. Seriously

From: Dinesh Patel [mailto:jedidinesh_at_googlemail.com]
Sent: Friday, September 30, 2011 04:51 AM
To: Joseph L. Brunner
Cc: ccielab_at_groupstudy.com <ccielab_at_groupstudy.com>
Subject: Re: ASA Site to Site IP Sec tunnel problem

Hi All,

I've added "Sysopt connection permit-vpn" to both sides.

I have the following debug:

        asa2# sh debug
        debug crypto ipsec enabled at level 1
        debug crypto isakmp enabled at level 1
I try to ping the remote side loopback
       asa2# ping 20.0.0.1
      Type escape sequence to abort.
     Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
     ?????
     Success rate is 0 percent (0/5)

I check the crypto:

       asa2# sh crypto isakmp sa
       There are no isakmp sas

Is there any other debug I could enable. I've got a feeling something makor is missing but can't put my finger on it.

Rgds
D.

Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 30 2011 - 08:55:03 ART