Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

VPN Tunnel ASA

Posted on 2008-06-25
10
2,213 Views
Last Modified: 2011-04-01
I have set up serveral VPN tunnels in the past but I can't seem to get this one working. It is between a ASA 5520 on my end and a ASA 5510 on the other end. Every thing looks right. I had the other engineer check some things on his end and they also seem right. The weird thing is we set the tunnel for 3DES/MD5 encryption and when I issue the command "sh isakmp sa detail" I get the following information for the tunnel. Any ideas why it would say the encryption is AES-256/SHA?

IKE Peer: x.x.x.x
    Type    : user            Role    : initiator
    Rekey   : no              State   : AM_WAIT_MSG2
    Encrypt : aes-256         Hash    : SHA      
    Auth    : preshared       Lifetime: 0
0
Comment
Question by:wilsj
  • 4
  • 4
  • 2
10 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 21865151
Are you sure the crypto map matches at the other end?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 21865259
Also

>>AM_WAIT_MSG2

Somebody is in aggressive mode? by default Cisco negotiates in Main Mode like so..

hostname# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 123.123.123.123
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE <<<<<<<<<<<<<<<<<<
0
 
LVL 3

Assisted Solution

by:AugustTen
AugustTen earned 50 total points
ID: 21865269
The IPSEC tunnel may use 3DES/MD5, it is hard to tell as you only show the ISAKMP attributes...

Can you post some more details?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 5

Author Comment

by:wilsj
ID: 21865285
That is one of the things I asked him to check but he says it is ESP-3des-md5. But could that be a reason it is showing up like that?


>>Somebody is in aggressive mode? by default Cisco negotiates in Main Mode like so..

Yeah I changed to aggresive because his was set to aggresive.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 450 total points
ID: 21865286
0
 
LVL 5

Author Comment

by:wilsj
ID: 21865342
More details? what command would give you the information that you want to see Augusten?
0
 
LVL 5

Author Comment

by:wilsj
ID: 21865437
here is what I get when I issue the command "deb crytpo isakmp 10"

lol before I paste I think I may have found the problem.
0
 
LVL 3

Expert Comment

by:AugustTen
ID: 21865458
Attach sanitized relevant parts of the configuration or run 'debug crypto isakmp' and 'debug crypto ipsec' and attach the output.
0
 
LVL 5

Author Comment

by:wilsj
ID: 21865486
yeah the problem was that he gave me the wrong Peer IP. I was able to find this out issuing the deb crypto isakmp 10 command. It showed me trying to bring a tunnel up with one Peer and him trying to initiate another one with a different peer. Thanks for the help guys.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 21866091
:)

ThanQ
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Auto Voice Respond from Pilot no from UC560 1 56
Manage ASA using outside IP 14 62
Issue with Cisco 4402 and 1142 LAPs 1 23
not able to to ping server on a switch 1 33
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question