Re: [fw-wiz] asa 5505 vpn ipsec l2l problem



Run these three debugs

debug crypto engine
debug crypto isakmp 127
debug crypto ipsec 127

and then see if you get any more meaningful debugs.

Regards

Farrukh Haroon
CCIE Security

On Fri, Oct 2, 2009 at 3:09 PM, Hrvoje Popovski <hrvoje@xxxxxxx> wrote:

hello eveyone,

i have asa 5505 with Base license and 7.2.4 sofware.

Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0


i'm trying to create l2l ipsec tunnel reading manual on

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/site2sit.html

and when i'm applying acl in crypto map
crypto map abcMap 1 match address acl
i'm getting this log:
Ignoring msg to mark SA with specified coordinates <abcMap, 1> dead

i don't have any debug messages (debug crypto ipsec 100)
google it but haven't found any answer.

thank you for your answers!

acl
access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.13 eq
4000
access-list acl extended permit tcp host 192.168.11.11 host 10.1.110.250 eq
4000
access-list acl extended permit tcp host 192.168.11.11 eq ftp host
10.1.100.105 eq ftp
access-list acl extended permit tcp host 192.168.11.11 host 10.1.100.105 eq
ftp-data
access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.13 eq
4000
access-list acl extended permit tcp host 192.168.11.12 host 10.1.110.250 eq
4000
access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105 eq
ftp
access-list acl extended permit tcp host 192.168.11.12 host 10.1.100.105 eq
ftp-data
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: [fw-wiz] asa 5505 vpn ipsec l2l problem
    ... i don't have any debug messages (debug crypto ipsec 100) ... access-list acl extended permit tcp host 192.168.11.11 host 10.1.110.250 eq ...
    (Firewall-Wizards)
  • [fw-wiz] asa 5505 vpn ipsec l2l problem
    ... i'm trying to create l2l ipsec tunnel reading manual on ... access-list acl extended permit tcp host 192.168.11.11 host 10.1.110.250 eq 4000 ...
    (Firewall-Wizards)
  • Re: Inside hosts loses connection to the Internet - ASA5505
    ... access-list outside extended permit tcp 195.xxx.xxx.0 255.255.255.0 host 213.xxx.xxx.3 eq smtp ... access-list outside extended permit tcp host 193.xxx.xxx.5 host 213.xxx.xxx.5 eq www ... access-group outside in interface outside ...
    (comp.dcom.sys.cisco)
  • Re: Inside hosts loses connection to the Internet - ASA5505
    ... access-list outside extended permit tcp 195.xxx.xxx.0 255.255.255.0 host 213.xxx.xxx.3 eq smtp ... access-list outside extended permit tcp host 193.xxx.xxx.5 host 213.xxx.xxx.5 eq www ... access-group outside in interface outside ...
    (comp.dcom.sys.cisco)