Hello, I have just tried to replace a single ASA5520 with a pair of ASA5516s. To copy the config across, I Litterally just done a copy/paste from running config, I did have to alter the Interface numbers from 0/x to 1/x. Everything 'looks' the same. I made the swap and all seems well (I can get internet) apart from the Site to Site VPNs don't connect. It appears to be an issue with IKE Versions. These are the related logs:
IP = x.x.x.x, Warning: Ignoring IKE SA (dst) without VM bit set
IKEv1 was Unsuccessful at setting up a tunnel. Map Tag = InternetRouting_map3. Map Sequence Number = 3.
Tunnel Manager has failed to establish an L2L SA. All configured IKE Versions failed to establish the tunnel. Map Tag= InternetRouting_map3. Map Sequence Number = 3.
IKEv1 was Unsuccessful at setting up a tunnel. Map Tag = InternetRouting_map3. Map Sequence Number = 3.
Tunnel Manager has failed to establish an L2L SA. All configured IKE Versions failed to establish the tunnel. Map Tag= InternetRouting_map3. Map Sequence Number = 3.
Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv1. Map Tag = InternetRoutingmap3. Map Sequence Number = 2.
IKEv2 Doesn't have a proposal specified
It was always working with IKEv1, I only enabled IKEv2 to see if that worked. Both sides of the tunnels seem to have the same protocols.
I am wondering if something is wrong with the InternetRouting_map3 part, could that be something copied across that is incorrect?
Any advice much appreciated.
No comments:
Post a Comment