Cisco ASA 5505 Site to Site VPN

So I found this guide:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080950890.shtml

Followed it, but no tunnel's are created.

Your best bet may be to use the wizard, but remember both sides have to match in some ways, and be mirror images of each other in other ways.  I believe the basic license still supports IPSec, so that shouldn't be an issue for you.  You haven't posted a config, so we don't have much to go on.  If you do decide to post configs, make sure you obscure your public addresses, delete ACLs other than those required for the VPN tunnel, etc.

When you are on the CLI and do "show crypto isakmp sa" what do you see?  

Here are the configs.  Running the command "show crypto isakmp sa" returns "There are no isakmp sas"

"Client" End

ASA Version 8.2(1) 
!
hostname Client
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.200.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!             
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.254.0 
access-list 100 extended permit ip 192.168.200.0 255.255.255.0 192.168.20.0 255.255.254.0 
access-list nonat extended permit ip 192.168.200.0 255.255.255.0 192.168.20.0 255.255.254.0 
access-list nonat extended permit ip 192.168.200.0 255.255.255.0 192.168.10.0 255.255.254.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer SERVER IP
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 15
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group SERVER IP type ipsec-l2l
tunnel-group SERVER IP ipsec-attributes
 pre-shared-key *
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:07a010b4e15a2cd268669c313c49a06b
: end

Select allOpen in new window

"Server" End

ASA Version 8.2(1) 
!
hostname SERVER
names
!
interface Vlan1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Vlan2
 nameif outside-tw
 security-level 0
 ip address SERVER IP 255.255.255.240 
!
interface Vlan3
 shutdown
 nameif outside-frontier
 security-level 0
 no ip address
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.254.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 10
!
interface Ethernet0/3
 switchport access vlan 10
!             
interface Ethernet0/4
 switchport access vlan 10
!
interface Ethernet0/5
 switchport access vlan 10
!
interface Ethernet0/6
 switchport access vlan 10
!
interface Ethernet0/7
 switchport access vlan 10
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit intra-interface
access-list outside_access_in extended permit icmp any any echo-reply 
access-list 100 extended permit ip 192.168.10.0 255.255.254.0 192.168.200.0 255.255.255.0 
access-list 100 extended permit ip 192.168.20.0 255.255.254.0 192.168.200.0 255.255.255.0 
access-list nonat extended permit ip 192.168.10.0 255.255.254.0 192.168.200.0 255.255.255.0 
access-list nonat extended permit ip 192.168.20.0 255.255.254.0 192.168.200.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
logging host inside 192.168.10.33
mtu outside-tw 1500
mtu outside-frontier 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside-tw) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside-tw
route outside-tw 0.0.0.0 0.0.0.0 GATEWAY 1
route inside 192.168.20.0 255.255.254.0 GATEWAY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address 100
crypto map outside_map 20 set peer CLIENT IP
crypto map outside_map 20 set transform-set myset
crypto map outside_map interface outside-tw
crypto isakmp enable outside-tw
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2      
 lifetime 86400
telnet timeout 5
ssh timeout 15
console timeout 0
dhcpd auto_config outside-tw
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group CLIENT IP type ipsec-l2l
tunnel-group CLIENT IP ipsec-attributes
 pre-shared-key *
!
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:5ae9aa47c3289bc46c0822a80ddad19d
: end

Select allOpen in new window

Ok, I deleted the hand build VPN and recreated via the wizard.  Still doesn't work.

show crypto isakmp sa still returns: There are no isakmp sas

Did you use the wizard on both ASA's?  

Yes

Would you repost both configs please?

In looking at the configs before posting, I noticed some "old hand entered" lines.  So I reloaded the config from my save before making changes and then rebuild the VPN via the wizard.  Still not working, but here are my current configs

CLIENT:

ASA Version 8.2(1) 
!
hostname CLIENT
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.200.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!             
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object-group network OFFICE
 network-object 192.168.10.0 255.255.254.0
 network-object 192.168.20.0 255.255.254.0
access-list outside_1_cryptomap extended permit ip 192.168.200.0 255.255.255.0 object-group OFFICE 
access-list inside_nat0_outbound extended permit ip 192.168.200.0 255.255.255.0 object-group OFFICE 
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer SERVER_IP 
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.200.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group SERVER_IP type ipsec-l2l
tunnel-group SERVER_IP ipsec-attributes
 pre-shared-key *
!
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:facaf804c3cb27ef48285328d4b0d791
: end

Select allOpen in new window

SERVER:

ASA Version 8.2(1) 
!
hostname SERVER
names
!
interface Vlan1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Vlan2
 nameif outside-tw
 security-level 0
 ip address SERVER_IP 255.255.255.240 
!
interface Vlan3
 shutdown
 nameif outside-frontier
 security-level 0
 no ip address
!
interface Vlan10
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.254.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 3
!
interface Ethernet0/2
 switchport access vlan 10
!
interface Ethernet0/3
 switchport access vlan 10
!             
interface Ethernet0/4
 switchport access vlan 10
!
interface Ethernet0/5
 switchport access vlan 10
!
interface Ethernet0/6
 switchport access vlan 10
!
interface Ethernet0/7
 switchport access vlan 10
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
same-security-traffic permit intra-interface
object-group network OFFICE
 network-object 192.168.10.0 255.255.254.0
 network-object 192.168.20.0 255.255.254.0
object-group network REMOTE
 network-object 192.168.200.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply 
access-list outside-tw_1_cryptomap extended permit ip object-group OFFICE object-group REMOTE
access-list inside_nat0_outbound extended permit ip object-group OFFICE object-group REMOTE 
pager lines 24
logging enable
logging asdm informational
logging host inside 192.168.10.33
mtu outside-tw 1500
mtu outside-frontier 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside-tw) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside-tw
route outside-tw 0.0.0.0 0.0.0.0 GATEWAY 1
route inside 192.168.20.0 255.255.254.0 192.168.10.80 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.10.0 255.255.254.0 inside
http 192.168.20.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside-tw_map 1 match address outside-tw_1_cryptomap
crypto map outside-tw_map 1 set pfs group1
crypto map outside-tw_map 1 set peer CLIENT_IP
crypto map outside-tw_map 1 set transform-set ESP-3DES-SHA
crypto map outside-tw_map interface outside-tw
crypto isakmp enable outside-tw
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.20.0 255.255.254.0 inside
ssh 192.168.10.0 255.255.254.0 inside
ssh timeout 15
console timeout 0
dhcpd auto_config outside-tw
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group CLIENT_IP type ipsec-l2l
tunnel-group CLIENT_IP ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:5f1eac80e54845a214f28171b9aa346b
: end

Select allOpen in new window

Is there any time of logging I can look at to see what's going on?  Kinda of frustrating that Cisco's Wizard doesn't work out of the box.

Hi,

on the client side you'll also need a route outside  to get the traffic encrypted.

Joris.

Ignore last comment, I just noticed the dhcp setup.

Try to generate interesting traffic (ping other side) and do a show log on both.

Also, is this a fixed address you get from your ISP's DHCP ?

No, this is a true Dynamic.  Although my ISP never changes/adjusts the DHCP server, so I've had the same IP for years. :)

I am simply testing this from my home, which is why it's dynamic.  I have tried the connection from the remote office to the main office, which is static to static.  This isn't working either.

I have tried pinging the other side of the tunnel, but never get a response.  Show Log just returns:

Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: disabled
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 541 messages logged

I have watched the ASDM log and can not see any attempts to connect to the server side IP.

I just changed the ASDM logging to Debug and still don't see any attempts to connect to the server IP.

Done... Here's what I see when I Ping:

Apr 28 2011 02:02:23 CLIENT : %ASA-7-609001: Built local-host outside:192.168.10.1
Apr 28 2011 02:02:23 CLIENT : %ASA-6-302020: Built outbound ICMP connection for faddr 192.168.10.1/0 gaddr CLIENT_IP/4388 laddr CLIENT_IP/4388
Apr 28 2011 02:02:33 CLIENT : %ASA-5-111008: User 'enable_15' executed the 'ping 192.168.10.1' command.
Apr 28 2011 02:02:33 CLIENT : %ASA-6-302021: Teardown ICMP connection for faddr 192.168.10.1/0 gaddr CLIENT_IP/4388 laddr CLIENT_IP/4388
Apr 28 2011 02:02:33 CLIENT : %ASA-7-609002: Teardown local-host identity:CLIENT_IP duration 0:00:10
Apr 28 2011 02:02:33 CLIENT : %ASA-7-609002: Teardown local-host outside:192.168.10.1 duration 0:00:10

Select allOpen in new window

I don't see the SERVER_IP anywhere in the logs.

Is there anyway to force the tunnel to try to connect?  BTW, who starts the tunnel, server or client?

Is this from a ping inside 192.168.10.1 ?

That was a ping from the client ASA.  This is the log result, from the ASDM filtering on the SERVER_IP, for a ping from one of the workstations on the client network.

4|Apr 28 2011|09:24:13|713903|||||IP = SERVER_IP, Error: Unable to remove PeerTblEntry
3|Apr 28 2011|09:24:13|713902|||||IP = SERVER_IP, Removing peer from peer table failed, no match!
7|Apr 28 2011|09:24:13|713906|||||IP = SERVER_IP, sending delete/delete with reason message
7|Apr 28 2011|09:24:13|713906|||||IP = SERVER_IP, IKE SA MM:318143d2 terminating:  flags 0x01000022, refcnt 0, tuncnt 0
7|Apr 28 2011|09:24:13|715065|||||IP = SERVER_IP, IKE MM Initiator FSM error history (struct &0xc66a57d0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent-->MM_SND_MSG3, EV_SND_MSG-->MM_SND_MSG3, EV_START_TMR-->MM_SND_MSG3, EV_RESEND_MSG-->MM_WAIT_MSG4, EV_TIMEOUT-->MM_WAIT_MSG4, NullEvent
4|Apr 28 2011|09:24:05|713903|||||IP = SERVER_IP, Information Exchange processing failed
5|Apr 28 2011|09:24:05|713904|||||IP = SERVER_IP, Received an un-encrypted INVALID_COOKIE notify message, dropping
7|Apr 28 2011|09:24:05|713236|||||IP = SERVER_IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Apr 28 2011|09:24:05|713236|||||IP = SERVER_IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Apr 28 2011|09:24:05|713236|||||IP = SERVER_IP, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
4|Apr 28 2011|09:23:57|713903|||||IP = SERVER_IP, Information Exchange processing failed
5|Apr 28 2011|09:23:57|713904|||||IP = SERVER_IP, Received an un-encrypted INVALID_COOKIE notify message, dropping
7|Apr 28 2011|09:23:57|713236|||||IP = SERVER_IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Apr 28 2011|09:23:57|713236|||||IP = SERVER_IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Apr 28 2011|09:23:57|713236|||||IP = SERVER_IP, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
6|Apr 28 2011|09:23:55|713219|||||IP = SERVER_IP, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
6|Apr 28 2011|09:23:50|713219|||||IP = SERVER_IP, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
4|Apr 28 2011|09:23:49|713903|||||IP = SERVER_IP, Information Exchange processing failed
5|Apr 28 2011|09:23:49|713904|||||IP = SERVER_IP, Received an un-encrypted INVALID_COOKIE notify message, dropping
7|Apr 28 2011|09:23:49|713236|||||IP = SERVER_IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Apr 28 2011|09:23:49|713236|||||IP = SERVER_IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
7|Apr 28 2011|09:23:49|713236|||||IP = SERVER_IP, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
6|Apr 28 2011|09:23:45|713219|||||IP = SERVER_IP, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
7|Apr 28 2011|09:23:41|713236|||||IP = SERVER_IP, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NAT-D (130) + NAT-D (130) + NONE (0) total length : 304
7|Apr 28 2011|09:23:41|713906|||||IP = SERVER_IP, computing NAT Discovery hash
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing NAT-Discovery payload
7|Apr 28 2011|09:23:41|713906|||||IP = SERVER_IP, computing NAT Discovery hash
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing NAT-Discovery payload
7|Apr 28 2011|09:23:41|715048|||||IP = SERVER_IP, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing VID payload
7|Apr 28 2011|09:23:41|715038|||||IP = SERVER_IP, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
7|Apr 28 2011|09:23:41|715048|||||IP = SERVER_IP, Send IOS VID
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing xauth V6 VID payload
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing Cisco Unity VID payload
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing nonce payload
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing ke payload
7|Apr 28 2011|09:23:41|715064|||||IP = SERVER_IP, IKE Peer included IKE fragmentation capability flags:  Main Mode:        True  Aggressive Mode:  True
7|Apr 28 2011|09:23:41|715049|||||IP = SERVER_IP, Received Fragmentation VID
7|Apr 28 2011|09:23:41|715047|||||IP = SERVER_IP, processing VID payload
7|Apr 28 2011|09:23:41|715049|||||IP = SERVER_IP, Received NAT-Traversal ver 02 VID
7|Apr 28 2011|09:23:41|715047|||||IP = SERVER_IP, processing VID payload
7|Apr 28 2011|09:23:41|713906|||||IP = SERVER_IP, Oakley proposal is acceptable
7|Apr 28 2011|09:23:41|715047|||||IP = SERVER_IP, processing SA payload
7|Apr 28 2011|09:23:41|713236|||||IP = SERVER_IP, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 128
6|Apr 28 2011|09:23:41|302015|SERVER_IP|500|CLIENT_IP|500|Built outbound UDP connection 2114 for outside:SERVER_IP/500 (SERVER_IP/500) to identity:CLIENT_IP/500 (CLIENT_IP/500)
7|Apr 28 2011|09:23:41|609001|SERVER_IP||||Built local-host outside:SERVER_IP
7|Apr 28 2011|09:23:41|713236|||||IP = SERVER_IP, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 168
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing Fragmentation VID + extended capabilities payload
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing NAT-Traversal VID ver RFC payload
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing NAT-Traversal VID ver 03 payload
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing NAT-Traversal VID ver 02 payload
7|Apr 28 2011|09:23:41|715046|||||IP = SERVER_IP, constructing ISAKMP SA payload
5|Apr 28 2011|09:23:41|713041|||||IP = SERVER_IP, IKE Initiator: New Phase 1, Intf inside, IKE Peer SERVER_IP  local Proxy Address 192.168.200.0, remote Proxy Address 192.168.10.0,  Crypto map (outside_map)

Select allOpen in new window

Standard L2L tunnel setup allows both to initiate, easiest place to verify this is adsm

to initiate the tunnel you have to ping from the 192.168.200.0 subnet (inside interface) or pc on that network to one of the "office" ip's.

Once the traffic is verified as "interesting" it will try to build a tunnel.

Are you sure the preshared key is the same on both devices ?

Ok, so the connection isn't always on, only when it's requested by either end.

So I tried pinging 192.168.10.20 from 192.168.200.90.  The log shows it trying to connect the tunnel.  During the ping attempt I also tried:

CLIENT# show crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: SERVER_IP
    Type    : user            Role    : initiator 
    Rekey   : no              State   : MM_WAIT_MSG4

Select allOpen in new window

None of my pings are successful.

BTW, a "show crypto isakmp sa" command on the server side, returns "There are no isakmp sas".

So it still doesn't look like the tunnel is being created.

OK... So I checked all my settings AGAIN.  I had reversed two numbers in one the client IP's on the server.  Deleted the tunnel and recreated.  Ping was successful in both directions.

So you can not ping from the actual ASA's?  This may have been my issue all along and why my other VPN "isn't working".  I've deleted the tunnel and recreated it so many times, figures this last time I'd have a typo.

Thank you for you help.

you can ping from the asa's, but have to use the command "ping inside" to have it build a tunnel, as it needs to be the asa's inside IP that originates the ping to be interesting.

The command to make all vpn traffic allowed is normally standard enabled, so asa's should respond to ping for vpn traffic.

Just tried a "ping inside 192.168.10.20" from our remote office ASA, no response.

I tried from a main office workstation to ping 192.168.30.170 (Remote office Printer) and that worked.

Also pinging either ASA's inside IP address doesn't work from the other side of the VPN.

Connection is working other than this, which isn't huge deal.  Thank you!  

I only have asa 8.3 to compare with, but It might be you need to add :
management-access inside

Yes, adding that command corrected the issue.