So you make the IPSEC connection on the ASA that is already in the AWS side not on the Onpremises Network as you were doing the configuraiton for your testing the AWS ASA with the Public ip 13.X.X.X ?
That's correct i launched an ASA from the AWS market place in a different VPC ,and you may do that from a different account as well .the concept is the same as on-premise ASA.
I am beginner to ASA. I googled but no luck. I am facing this error: ciscoasa(config)# crypto ikev1 enable outside ^ ERROR: % Invalid input detected at '^' marker. ciscoasa(config)# Can you help me please? Thanks a lot!
If you do not have a physical ASA you may use an on frial trial or on demand one from the AWS Market place ,Remember to remove the subscription when done else you will billed continuously until you do so .Take note that terminating the firewall instance is not the same as removing a subscription
Excellent video. Thank you, Tendai! I have a question: How can i set up multiple AWS machines so they can connect to customer network. I was wondering if i'd have to create multiple IAM users and grant them permission to the main account that was used to set up the configuration. Those users can then access the account and use the vpn configured to connect to the customer's network. Right?
Thank you for your the support ,if you are happy hit that subscribe button to grow the channel. I am not clear why you mentioned IAM users however you can connect with me via linkedin :www.linkedin.com/in/tendai-musonza-a9914523 for further discussions and clarity on your use case.
Hi Tendai, excellent video, I have done the same config, but the BGP peering go down after 1 hour. The IPSec still up, but the VTI tunnel seems to loose connection. The only way to bring the bgp up again, is to shut/un-shut the tunnel interfaces.
Have you seen this issue before ? On the logs I’ve got BGP hold time expired message. I’ve also checked the vti interfaces, when the problem happens, I can’t Ping the other side of the /30. The interface status keep on UP/UP. After shut/un-shut the tunnel became alive again..
@@phyll6623 , is your phase 2 timer set to 3600 which is also 1 hr .if so it sounds to me like an issue on phase 2 renegotiation / rekey. do you see the ipsec up on Cisco or aws side ,aws console up/status is not really realtime
@@phyll6623, if you have support you may ask aws to check the logs at those times intervals ,in some cases I have seen devices maintaining old SPIs after rekey. or you can run an ipsec debug towards end of the hour as well .that can help.
Amazing explanation with live troubleshooting. Very clear and to the point. Thank you so much!
it's a pleasure, thanks
you always got me boss,,, thanks from my heart
I feel humbled ,thank you
excellent video sir!
Thank you
So you make the IPSEC connection on the ASA that is already in the AWS side not on the Onpremises Network as you were doing the configuraiton for your testing the AWS ASA with the Public ip 13.X.X.X ?
That's correct i launched an ASA from the AWS market place in a different VPC ,and you may do that from a different account as well .the concept is the same as on-premise ASA.
amazing!
very well explained Tendai!
Thank you Gordon
I am beginner to ASA. I googled but no luck.
I am facing this error:
ciscoasa(config)# crypto ikev1 enable outside
^
ERROR: % Invalid input detected at '^' marker.
ciscoasa(config)#
Can you help me please?
Thanks a lot!
Very informative
Thank you ,Glad to hear
Thank you! and respect.
Nice one my leader 👏
Glad you like it
My SME! Well done!
Thank you
Thank you for sharing Leadership
my pleasure leadership
Nice one Brother. Tnx
Its a pleasure ,thank you for your support.
Hi Tendai,
How did you log in to the ASA console? Do you have to have a cisco account to do that?
If you do not have a physical ASA you may use an on frial trial or on demand one from the AWS Market place ,Remember to remove the subscription when done else you will billed continuously until you do so .Take note that terminating the firewall instance is not the same as removing a subscription
@@tendaimusonza9547 Thank you!
Thank you Tendai.
you are welcome
Well explained
Excellent video. Thank you, Tendai!
I have a question: How can i set up multiple AWS machines so they can connect to customer network. I was wondering if i'd have to create multiple IAM users and grant them permission to the main account that was used to set up the configuration. Those users can then access the account and use the vpn configured to connect to the customer's network. Right?
Thank you for your the support ,if you are happy hit that subscribe button to grow the channel. I am not clear why you mentioned IAM users however you can connect with me via linkedin :www.linkedin.com/in/tendai-musonza-a9914523 for further discussions and clarity on your use case.
Hi Tendai, excellent video, I have done the same config, but the BGP peering go down after 1 hour. The IPSec still up, but the VTI tunnel seems to loose connection. The only way to bring the bgp up again, is to shut/un-shut the tunnel interfaces.
Have you seen this issue before ? On the logs I’ve got BGP hold time expired message.
I’ve also checked the vti interfaces, when the problem happens, I can’t Ping the other side of the /30. The interface status keep on UP/UP.
After shut/un-shut the tunnel became alive again..
@@phyll6623 , is your phase 2 timer set to 3600 which is also 1 hr .if so it sounds to me like an issue on phase 2 renegotiation / rekey. do you see the ipsec up on Cisco or aws side ,aws console up/status is not really realtime
@@tendaimusonza9547 I see the tunnel up on ASA side, on AWS took some time to refresh.
I’ll keep searching for the issue, thank you for raising possible phase2 rekey, I’ll check for this. 👍🏼
@@phyll6623, if you have support you may ask aws to check the logs at those times intervals ,in some cases I have seen devices maintaining old SPIs after rekey. or you can run an ipsec debug towards end of the hour as well .that can help.