Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2454
  • Last Modified:

VPN Tunnel ASA

I have set up serveral VPN tunnels in the past but I can't seem to get this one working. It is between a ASA 5520 on my end and a ASA 5510 on the other end. Every thing looks right. I had the other engineer check some things on his end and they also seem right. The weird thing is we set the tunnel for 3DES/MD5 encryption and when I issue the command "sh isakmp sa detail" I get the following information for the tunnel. Any ideas why it would say the encryption is AES-256/SHA?

IKE Peer: x.x.x.x
    Type    : user            Role    : initiator
    Rekey   : no              State   : AM_WAIT_MSG2
    Encrypt : aes-256         Hash    : SHA      
    Auth    : preshared       Lifetime: 0
0
wilsj
Asked:
wilsj
  • 4
  • 4
  • 2
2 Solutions
 
Pete LongTechnical ConsultantCommented:
Are you sure the crypto map matches at the other end?
0
 
Pete LongTechnical ConsultantCommented:
Also

>>AM_WAIT_MSG2

Somebody is in aggressive mode? by default Cisco negotiates in Main Mode like so..

hostname# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 123.123.123.123
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE <<<<<<<<<<<<<<<<<<
0
 
AugustTenCommented:
The IPSEC tunnel may use 3DES/MD5, it is hard to tell as you only show the ISAKMP attributes...

Can you post some more details?
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
wilsjAuthor Commented:
That is one of the things I asked him to check but he says it is ESP-3des-md5. But could that be a reason it is showing up like that?


>>Somebody is in aggressive mode? by default Cisco negotiates in Main Mode like so..

Yeah I changed to aggresive because his was set to aggresive.
0
 
Pete LongTechnical ConsultantCommented:
0
 
wilsjAuthor Commented:
More details? what command would give you the information that you want to see Augusten?
0
 
wilsjAuthor Commented:
here is what I get when I issue the command "deb crytpo isakmp 10"

lol before I paste I think I may have found the problem.
0
 
AugustTenCommented:
Attach sanitized relevant parts of the configuration or run 'debug crypto isakmp' and 'debug crypto ipsec' and attach the output.
0
 
wilsjAuthor Commented:
yeah the problem was that he gave me the wrong Peer IP. I was able to find this out issuing the deb crypto isakmp 10 command. It showed me trying to bring a tunnel up with one Peer and him trying to initiate another one with a different peer. Thanks for the help guys.
0
 
Pete LongTechnical ConsultantCommented:
:)

ThanQ
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now