Pages

Thursday, December 10, 2015

Troubleshooting IPSec Site to Site VPN


State the problem
Identify possibilities
Use the tools to isolate
Correct without causing harm


Issue: Client PC in one site is not able to connect to web-server on other site

Possible causes:
outside interface shut
internet not working
wrong route
Check the connectivity and logs

check if ASA1 and ASA2 reach each other
from ASA2 we are able to ping ASA1
Enable logging on ASA2
logging enable
logging console 7

Trying connecting to web server from client pc
turn off debugging
no logging console

Let's use ASDM to view same logs, just for clarity sake.

Real-time Log Viewer:
launch connection once again
Error: IKEv2 was unsuccessful at setting up a tunnel. Map tag = outside_map, Map Sequence number = 1

Check the configuration :
In ASA2 under conn-profile we have used both Ikev1 and ikev2
Disable ikev1

Under Advanced -> tunnel-groups -> double click conn-profile and check the settings
Remember tunnel-group another name is conn-profile

This seems to be fine . Lets take a look at crypto map details
Advanced -> crypto Maps -> tunnel policy
Enable RRI : reverse route injection is a local policy, and doesn’t have to match RRI setting on the other VPN gateway.

Check IKE policies
Delete IKEv1 policies

Trying launching connection once again
Still not able to connect
Error: Negotiation is not happening

Check details on ASA1, all policies should match with ASA2
On ASA1 IKEv2 Ipsec proposal is not matching, change the encryption.

Lets launch connection once again
now we have a successful connection

Result: We need to make sure we have compatible policies on both sides

Check sessions details of active VPN connection to view each and every detail
Monitoring -> VPN Statistics -> sessions

On CLI
show vpn-sessiondb l2l









No comments:

Post a Comment