Thats only the first step, since vpn blade has to be enabled. But, lets take a step back, of few lol

Can you please let us know the following:

1) is it CP to CP tunnel of 3rd party?

2) permanent tunnel or regular?

3) what is configured for vpn domains?

4) any NAT going?

5) ikev1 or v2?

Also, did you do any tcpdumps or debugs

Example (say peer is 1.2.3.4 IP)

from CP -> tcpdump -enni any host 1.2.3.4 and proto 50

debug:

vpn debug trunc

vpn debug ikeon

-try generate some traffic

vpn debug ikeoff

Look for ike and vpnd files

IMPORTANT NOTE -> to save yourself time, please run below to check what iked process is handling the vpn, otherwise you might be looking at totally wrong files

example in my lab:

[Expert@azurefw:0]# vpn iked calc 1.2.3.4

vpn: Address 1.2.3.4 is handled by IKED 0

[Expert@azurefw:0]#

If you need any help, let me know.

Best.

Andy

Hi The_Rock.

1) is it CP to CP tunnel of 3rd party? -> 3rd party Cisco

2) permanent tunnel or regular? -> regular

3) what is configured for vpn domains? -> All IP Address behind Cluster Member based on Topology

4) any NAT going? No Nat

5) ikev1 or v2? ikev1

Also, did you do any tcpdumps or debugs -> I have debug VPN traffic but it doesn't exist

Example (say peer is 1.2.3.4 IP)

[Expert@gw01:0]# vpn iked calc 192.168.45.2
vpn: valid 'iked' commands are: 'status', 'enable', 'disable'

I checked the VPN configuration on the gateway but it seems it has not been installed from SMC

Thanks.

Now that I came back from my exercise (I feel like Im the only "genius" running on -5 C degree haha), I feel energized, so lets see if we can get this fixed. Just working on some labs, so if you allow remote, message me offline, lets connect and we can do remote.

Best,

Andy

Btw, first thing I would say thats wrong is your enc domain, you should always set specific subnet/group, not topology option.

Nguyen and I just had remote session and I could not even see phase 1 come up, so asked him to verify enc methods for phase 1, as well as PSK and update the thread. Alternatively, please run the debug I mentioned in one of previous responses.

Best,

Andy

Great job!

Btw, just to help you even further next time if you have issue with Cisco, below are some good commands on that end you can try:

***************************************************************

more system:running-config | beg tunnel-group x.x.x.x (to find pre shared key for specific tunnel, where x.x.x.x is the 3rd party external IP)

ASA# sh run crypto map | beg x.x.x.x (peer IP)

debug vpn:

debug crypto condition peer x.x.x.x

debug crypto ikev1 200

debug crypto ipsec 200

to cancel all debugs-> undebug all

Here are the commands that you need to apply in order to change an IP address of the IPSec site to site tunnel:

no crypto map <map-name> <sequece> set peer x.x.x.x

crypto map <map-name> <sequence> set peer <new peer IP>