RE: ASA Site to Site IP Sec tunnel problem

Add "management-access inside" on both ASAs and originate a ping via the
inside interface from either ASA to the other ASA's inside interface and
your tunnel should come up.

Timothy Chin
CCIE #23866

-----Original Message-----
From: Ryan West [mailto:rwest_at_zyedge.com]
Sent: Friday, September 30, 2011 9:03 AM
To: Timothy Chin; Piotr Matusiak; Dinesh Patel
Cc: Joseph L. Brunner; ccielab_at_groupstudy.com
Subject: RE: ASA Site to Site IP Sec tunnel problem

On Fri, Sep 30, 2011 at 05:19:40, Timothy Chin wrote:
> Cc: Joseph L. Brunner; ccielab_at_groupstudy.com
> Subject: RE: ASA Site to Site IP Sec tunnel problem
>
> You can originate traffic via the inside interface. Try "ping inside
20.0.0.1"
> from asa2. Also do a "debug crypto isakamp 255".
>
> Timothy Chin
> CCIE #23866
>

If you want some more information, you could run a packet-tracer from
the CLI and see if it's hitting your interesting traffic ACL as
expected:

packet-tracer input inside icmp 10.0.0.1 8 0 20.0.0.1 detailed

If you run that command twice or use Timothy's example you should see
where your issue is.

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 30 2011 - 13:43:11 ART