site-to-site tunnel not forming please help

[vreddy]

Last week we had MPLS circuit down and there was no redundancy. I have been trying to establish the IPSEC site to site vpn as the backup once the MPLS circuit goes down I can bring up the IPSEC tunnel. Since the MPLS circuit is up now. I configured on both the local and remote ASAs all the ipsec site to site configs but was not able to test it by passing the interesting traffic since all the traffic is now routing through MPLS circuit. I need to figure out what needs to be done so that I can test IPSEC tunnel by passing interesting traffic even though MPLS circuit is up. Right now the MPLS traffic is going through WAN router. I tried 192.168.1.0 subnet point to ASA's internal interface in the Core but can't generate the interesting traffic. Getting ping request timeout.
Here's the config for Local ASA
object network NETWORK_OBJ_10.1.14.0_24
subnet 10.1.14.0 255.255.255.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
nat (Inside,Outside) source static NETWORK_OBJ_10.1.14.0_24 NETWORK_OBJ_10.1.14.0_24 destination static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 no-proxy-arp route-lookup

crypto ipsec ikev1 transform-set MySet esp-3des esp-md5-hmac
crypto ikev1 enable Outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
access-list VPN_ALLOWED_ACCESS extended permit ip 10.1.14.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list VPN_ALLOWED_ACCESS extended permit icmp 10.1.14.0 255.255.255.0 192.168.1.0 255.255.255.0
crypto map Outside_map 2 match address VPN_ALLOWED_ACCESS
crypto map Outside_map 2 set peer x.x.x.x
crypto map Outside_map 2 set ikev1 transform-set MySet
crypto map Outside_map interface Outside
-------------------------------------------------
Remote ASA config:
object network obj-10.1.14.0
subnet 10.1.14.0 255.255.255.0

object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (MFG,outside) source static obj-192.168.1.0 obj-192.168.1.0 destination static obj-10.1.14.0 obj-10.1.14.0 no-proxy-arp route-lookup
crypto ipsec ikev1 transform-set MySet esp-3des esp-md5-hmac
crypto ikev1 enable outside

crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.1.14.0 255.255.255.0
access-list outside_cryptomap extended permit icmp 192.168.1.0 255.255.255.0 10.1.14.0 255.255.255.0
crypto map External_map 2 match address outside_cryptomap
crypto map External_map 2 set peer 8.29.106.10
crypto map External_map 2 set ikev1 transform-set MySet
crypto map External_map interface outside
This is the config I put on both ASAs . Right now both are reaching each other through MPLS circuit.
Can I bring the tunnel up even though MPLS circuit is up and running.
Any advice would be really appreciated.

 

[cheap5.0]

You would be better off taking this to experts-exchange.com or cisco support forums. Not that someone here is incapable of figuring this out, I think you would have a better chance over there.

 

[lif_andi]

I am not aware of any way to test this without directing traffic through the tunnel. You could include a new IP range in the access-lists and direct that traffic through to see if the tunnel forms, but otherwise, traffic will always follow the rules and go through the MPLS path as that is more preferred.

 

[drebo]

It looks like you haven't excluded the VPN interesting traffic from your NAT on each direction...unless you just didn't copy that line in.