Cisco ASA L2L VPN Not Initializing

We have a new Cisco ASA5510 plugged into a new ISP. It is replacing a Cisco 871 on an old ISP. The old 871 has two site-to-site VPN tunnels with a client that need to be moved over to the ASA.

I have not communicated with the far-end yet to move the tunnel. I want to do as much testing as possible on our end first. I am concerned because I have issued the following commands:

asa# debug crypto ipsec 255
asa# debug crypto isakmp 255
asa# debug crypto engine 255
asa# ping 10.217.61.1
Sending 5, 100-byte ICMP Echos to 10.217.61.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

I would expect the ping to fail because the the far-end has not configured the tunnel. My concern is that I see no ISAKMP or IPSEC debug output whatsoever. I would expect to see the ASA attempt to initialize the tunnel, and then fail. The fact that I'm not seeing this makes me think I might have missed some options in the config.

192.168.2.0 is our network. 10.217.0.0 is their network, specifically 10.217.60-63 and 10.217.70-72.

Any ideas?
asdm image disk0:/asdm-508.bin
asdm history enable
: Saved
:
ASA Version 7.0(8) 
!
hostname asa
domain-name xxx.local
enable password *** encrypted
passwd *** encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.30.60.54 255.255.255.248 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.2.253 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00
access-list outside_access_in remark Allow ICMP replies
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in remark Allow ICMP traceroutes
access-list outside_access_in extended permit icmp any any traceroute 
access-list outside_access_in extended permit tcp any host xxx.30.62.161 eq pptp 
access-list outside_access_in extended permit gre any host xxx.30.62.161 
access-list outside_access_in extended permit tcp any host xxx.30.62.162 eq www log errors 
**lots more entries for our servers**
access-list outside_access_in remark xxx-Prod ISAKMP
access-list outside_access_in extended permit udp host yyy.67.186.132 host xxx.30.60.54 eq isakmp 
access-list outside_access_in remark xxx-Prod ESP
access-list outside_access_in extended permit esp host yyy.67.186.132 host xxx.30.60.54 
access-list outside_access_in remark xxx-Staging ISAKMP
access-list outside_access_in extended permit udp host yyy.67.186.135 host xxx.30.60.54 eq isakmp 
access-list outside_access_in remark xxx-Staging ESP
access-list outside_access_in extended permit esp host yyy.67.186.135 host xxx.30.60.54 
access-list outside_access_in extended permit ip 10.217.0.0 255.255.0.0 192.168.2.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.217.60.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.217.61.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.217.62.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.217.63.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.217.70.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.217.71.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 10.217.72.0 255.255.255.0 
access-list outside_cryptomap_20 extended permit ip 192.168.2.0 255.255.255.0 10.217.60.0 255.255.255.0 
access-list outside_cryptomap_20 extended permit ip 192.168.2.0 255.255.255.0 10.217.61.0 255.255.255.0 
access-list outside_cryptomap_20 extended permit ip 192.168.2.0 255.255.255.0 10.217.62.0 255.255.255.0 
access-list outside_cryptomap_20 extended permit ip 192.168.2.0 255.255.255.0 10.217.63.0 255.255.255.0 
access-list outside_cryptomap_40 extended permit ip 192.168.2.0 255.255.255.0 10.217.70.0 255.255.255.0 
access-list outside_cryptomap_40 extended permit ip 192.168.2.0 255.255.255.0 10.217.71.0 255.255.255.0 
access-list outside_cryptomap_40 extended permit ip 192.168.2.0 255.255.255.0 10.217.72.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
monitor-interface outside
monitor-interface inside
monitor-interface management
asdm image disk0:/asdm-508.bin
asdm history enable
arp timeout 14400
global (outside) 10 69.30.62.160
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) xxx.30.62.161 192.168.2.2 netmask 255.255.255.255 
static (inside,outside) xxx.30.62.162 192.168.2.9 netmask 255.255.255.255 
static (inside,outside) xxx.30.62.163 192.168.2.15 netmask 255.255.255.255 
static (inside,outside) xxx.30.62.164 192.168.2.30 netmask 255.255.255.255 
static (inside,outside) xxx.30.62.165 192.168.2.33 netmask 255.255.255.255 
static (inside,outside) xxx.30.62.166 192.168.2.36 netmask 255.255.255.255 
static (inside,outside) xxx.30.62.167 192.168.2.38 netmask 255.255.255.255 
static (inside,outside) xxx.30.62.168 192.168.2.55 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.30.60.49 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer yyy.67.186.132 
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 40 match address outside_cryptomap_40
crypto map outside_map 40 set peer yyy.67.186.135 
crypto map outside_map 40 set transform-set ESP-3DES-MD5
crypto map outside_map 40 set security-association lifetime seconds 28800
crypto map outside_map 40 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
isakmp identity address 
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp nat-traversal  20
tunnel-group yyy.67.186.132 type ipsec-l2l
tunnel-group yyy.67.186.132 ipsec-attributes
 pre-shared-key *
tunnel-group yyy.67.186.135 type ipsec-l2l
tunnel-group yyy.67.186.135 ipsec-attributes
 pre-shared-key *
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.186.1.0 255.255.255.0 management
telnet timeout 5
ssh 192.168.2.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
dhcpd enable management
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global_policy
 class inspection_default
  inspect dns maximum-length 512 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny 
  inspect sunrpc 
  inspect xdmcp 
  inspect sip 
  inspect netbios 
  inspect tftp 
  inspect http 
!
service-policy global_policy global
ntp server 206.103.37.2 source outside prefer
smtp-server 192.168.2.9

Open in new window

allegroconmoltoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

allegroconmoltoAuthor Commented:
I found this odd, as well...
asa# show ipsec sa
 
There are no ipsec sas
asa# show isakmp sa
 
There are no isakmp sas
asa# 

Open in new window

0
allegroconmoltoAuthor Commented:
I discovered the problem - pinging from the ASA itself won't work. I have to ping from one of the 192.168.2.x IPs so that the traffic is crossing the ASA.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.