Guides
All guides
VPN & Firewall
FortiGate IPsec VPNPalo Alto VPNCisco ASA VPNJuniper SRX VPNSonicWall VPN
Switching & Routing
Catalyst high CPUNexus vPCOSPF ExStartBGP Active/Idle
Load Balancing
F5 pool member down
Servers & Virtualization
Linux high loadWindows high memoryESXi disconnectedProxmox node offline
Containers
K8s CrashLoopDocker exit 137
Databases
MySQL replication lagPostgreSQL connsOracle ORA-12541
Cloud
AWS no internetAzure VPN gateway
Backup
Veeam job failed
Web & App
Nginx 502
Compare
Marvis alternativeChatGPT vs TM
Home / Troubleshoot / Cisco ASA Site-to-Site VPN
Cisco ASA · Site-to-Site VPN

Cisco ASA Site-to-Site VPN Not Coming Up: How to Fix It

By the Tech Matrix engineering team · Updated June 2026

An ASA site-to-site tunnel that won't establish fails in Phase 1 (ISAKMP/IKE) or Phase 2 (IPsec) — and on the ASA there's a third classic trap: NAT exemption. Here's how to find which.

Step 1 — Check the SAs

show crypto isakmp sa
show crypto ipsec sa peer <peer-ip>

For IKEv1, Phase 1 is healthy when the ISAKMP SA shows MM_ACTIVE. If there's no ISAKMP SA, Phase 1 is failing. If Phase 1 is up but no IPsec SA forms, it's Phase 2.

Step 2 — Phase 1 (ISAKMP) down

  • Pre-shared key: set per peer in the tunnel-group; a mismatch keeps Phase 1 down.
  • ISAKMP/IKE policy: encryption, hash, DH group and lifetime must match the peer.
  • Reachability: UDP 500/4500 must reach the peer; confirm the crypto map is on the correct outside interface.
debug crypto ikev1 127

Step 3 — Phase 2 (IPsec) down

  • Crypto ACL (interesting traffic): the source/destination networks must mirror exactly on each side. A non-mirrored ACL is the most common Phase 2 failure.
  • Transform set / PFS: must match on both peers.

Step 4 — The ASA-specific trap: NAT exemption

If both phases come up but traffic doesn't pass, VPN traffic is probably being NATed. Add a NAT exemption (no-nat) rule so traffic between the local and remote VPN subnets bypasses NAT:

nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp route-lookup

How Tech Matrix solves this in ~60 seconds

The ASA combines IKE, IPsec and NAT, so the fix is rarely obvious from one command. Tech Matrix reads the ISAKMP/IPsec SAs, the crypto ACL and the NAT rules together, tells you whether it's a policy, ACL-mirror or NAT-exemption problem, and gives the exact line to change — grounded in your ASA version, with your approval.

Create free account →See how it works

Frequently asked questions

How do I check a Cisco ASA VPN tunnel?

Run 'show crypto isakmp sa' (Phase 1 should be MM_ACTIVE) and 'show crypto ipsec sa' for Phase 2. Use 'debug crypto ikev1 127' to watch negotiation.

Why does my ASA VPN come up but not pass traffic?

Almost always missing NAT exemption — VPN traffic is being NATed. Add a no-nat rule between the local and remote VPN subnets.

What causes ASA Phase 2 to fail?

Usually the crypto ACL (interesting traffic) doesn't mirror the peer, or the transform set / PFS doesn't match.