State the problem
Identify possibilities
Use the tools to isolate
Correct without causing harm
Issue: Client PC in one site is not able to connect to web-server on other site
Possible causes:
outside interface shut
internet not working
wrong route
Check the connectivity and logs
check if ASA1 and ASA2 reach each other
from ASA2 we are able to ping ASA1
Enable logging on ASA2
logging enable
logging console 7
Trying connecting to web server from client pc
turn off debugging
no logging console
Let's use ASDM to view same logs, just for clarity sake.
Real-time Log Viewer:
launch connection once again
Error: IKEv2 was unsuccessful at setting up a tunnel. Map tag = outside_map, Map Sequence number = 1
Check the configuration :
In ASA2 under conn-profile we have used both Ikev1 and ikev2
Disable ikev1
Under Advanced -> tunnel-groups -> double click conn-profile and check the settings
Remember tunnel-group another name is conn-profile
This seems to be fine . Lets take a look at crypto map details
Advanced -> crypto Maps -> tunnel policy
Enable RRI : reverse route injection is a local policy, and doesn’t have to match RRI setting on the other VPN gateway.
Check IKE policies
Delete IKEv1 policies
Trying launching connection once again
Still not able to connect
Error: Negotiation is not happening
Check details on ASA1, all policies should match with ASA2
On ASA1 IKEv2 Ipsec proposal is not matching, change the encryption.
Lets launch connection once again
now we have a successful connection
Result: We need to make sure we have compatible policies on both sides
Check sessions details of active VPN connection to view each and every detail
Monitoring -> VPN Statistics -> sessions
On CLI
show vpn-sessiondb l2l
No comments:
Post a Comment