?
Solved

VPN Tunnel ASA

Posted on 2008-06-25
10
Medium Priority
?
2,280 Views
Last Modified: 2011-04-01
I have set up serveral VPN tunnels in the past but I can't seem to get this one working. It is between a ASA 5520 on my end and a ASA 5510 on the other end. Every thing looks right. I had the other engineer check some things on his end and they also seem right. The weird thing is we set the tunnel for 3DES/MD5 encryption and when I issue the command "sh isakmp sa detail" I get the following information for the tunnel. Any ideas why it would say the encryption is AES-256/SHA?

IKE Peer: x.x.x.x
    Type    : user            Role    : initiator
    Rekey   : no              State   : AM_WAIT_MSG2
    Encrypt : aes-256         Hash    : SHA      
    Auth    : preshared       Lifetime: 0
0
Comment
Question by:wilsj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
10 Comments
 
LVL 57

Expert Comment

by:Pete Long
ID: 21865151
Are you sure the crypto map matches at the other end?
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 21865259
Also

>>AM_WAIT_MSG2

Somebody is in aggressive mode? by default Cisco negotiates in Main Mode like so..

hostname# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 123.123.123.123
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE <<<<<<<<<<<<<<<<<<
0
 
LVL 3

Assisted Solution

by:AugustTen
AugustTen earned 200 total points
ID: 21865269
The IPSEC tunnel may use 3DES/MD5, it is hard to tell as you only show the ISAKMP attributes...

Can you post some more details?
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
LVL 5

Author Comment

by:wilsj
ID: 21865285
That is one of the things I asked him to check but he says it is ESP-3des-md5. But could that be a reason it is showing up like that?


>>Somebody is in aggressive mode? by default Cisco negotiates in Main Mode like so..

Yeah I changed to aggresive because his was set to aggresive.
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 1800 total points
ID: 21865286
0
 
LVL 5

Author Comment

by:wilsj
ID: 21865342
More details? what command would give you the information that you want to see Augusten?
0
 
LVL 5

Author Comment

by:wilsj
ID: 21865437
here is what I get when I issue the command "deb crytpo isakmp 10"

lol before I paste I think I may have found the problem.
0
 
LVL 3

Expert Comment

by:AugustTen
ID: 21865458
Attach sanitized relevant parts of the configuration or run 'debug crypto isakmp' and 'debug crypto ipsec' and attach the output.
0
 
LVL 5

Author Comment

by:wilsj
ID: 21865486
yeah the problem was that he gave me the wrong Peer IP. I was able to find this out issuing the deb crypto isakmp 10 command. It showed me trying to bring a tunnel up with one Peer and him trying to initiate another one with a different peer. Thanks for the help guys.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 21866091
:)

ThanQ
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question