We help IT Professionals succeed at work.

Site to site VPN will not establish betwen 2 asa 5505

Last Modified: 2012-05-05
I am testing with a couple of new asa 5505's to setup a site to site vpn.  The boxes are new, all I did was create a default route and the run the ipsec wizard to create the vpn as in the documentation.  The vpn will not connect.  It doesn't even look like it is trying.  No messages in the log related to a vpn or errors.  Currently I have then on the same lan segment for there outside addresses.  I have 1 test computer hooked to the asa inside ports.  I can browse the internet from both computers.  The vpn just will not establish.  config files are uploaded.  Any help would be appreciated.
Watch Question

which side are you pinging from to try to get the tunnel up?

on asa2 your access list is wrong, run

no access-list outside_1_cryptomap extended permit ip host
no access-list inside_nat0_outbound extended permit ip host
access-list inside_nat0_outbound extended permit ip
access-list outside_1_cryptomap extended permit ip

on both asas, the outside_access_in rule allows ALL traffic.  
no access-list outside_access_in extended permit ip any any

after you do this, try pinging from both directions, then run on both

sh crypto isa sa
sh crypto ipsec sa


I made the changes as suggested by mabutterfield.  Still no VPN.  I tried pinging from both boxes.  i can ping the outside interface of the other box from each network but nothing inside.  I posted updated configs.
Here are the results of the commands, they are the same on both asa's:
ciscoasa# sh crypto isa sa
There are no isakmp sas
ciscoasa# sh crypto ipsec sa
There are no ipsec sas

add the following to asa2

crypto map outside_map 1 match address outside_1_cryptomap

add to both (correct IP first)

tunnel-group xxx.xxx.38.160 ipsec-attributes
peer-id-validate nocheck

double check (be re-entering) your shared keys

retry your ping.  also, to make sure that there's not ICMP that's the problem, try 'telnet  80'

Then re-put the output of
sh crypto ipsec sa
sh crypto isakmp sa


Made changes, opened up icmp.  New configs below. Still no VPN. Tried ping and telnet.

Here are the results of the commands, they are the same on both asa's:
ciscoasa# sh crypto isa sa
There are no isakmp sas
ciscoasa# sh crypto ipsec sa
There are no ipsec sas

Top Expert 2007
This one is on us!
(Get your first solution completely free - no credit card required)


Thanks much.  The vpn is up and running.


Thanks to MrHusy and mabutterfield.  After last change from MrHusy the VPN popped up and I can ping between the workstations.  The outside interfaces are on the same subnet for testing.  I wanted to get it running and then i can change the ip on the outside and in the config.
Thanks again.
Top Expert 2007

You are welcome

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.