VPN- Easy VPN Hardware Client Connects, but No Traffic

Answered Question
Nov 4th, 2007
User Badges:

Hi,


I have a PIX 515E and 501 acting as a hardware client. Several remote location are connected as Easy VPN clients, but one location will connect, but no traffic flows. I switched from network-extension-mode to client-mode and I can connect thru to the other network hosts.


I'm not sure why this PIX 501 one is different. There are no ACLs except what is pulled from the headend.


Any ideas where I should look?


Thanks,


Vince

Correct Answer by ajagadee about 9 years 7 months ago

Couple of quick comments:


1. I do not see 192.168.0.0 part of that inside_outbound_nat0_acl ACL.


2. I see a crypto map instance 40 with "incomplete" crypto map, which is actually missing a match address.


crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 set peer 216.27.161.109

crypto map outside_map 40 set transform-set ESP-DES-MD5

! Incomplete


Not sure if this is the current configuration from the pix. If there is a crypto map instance with a incomplete match address, all traffic will be encrypted.


Regards,

Arul

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ajagadee Tue, 11/06/2007 - 07:21
User Badges:
  • Cisco Employee,

What is the inside subnet that the Pix 501 is connecting from. Could you be NAT 0 ACL issue or overlapping access-lists or interesting traffic.


Regards,

Arul

vdinenna71 Tue, 11/06/2007 - 07:33
User Badges:

The subnet on the PIX 501 is 192.168.0.0.

The headend inside subnet is 192.168.1.0.


There are no access-lists on the 501 other than what is pushed down and explicit to the PIX.

Correct Answer
ajagadee Tue, 11/06/2007 - 08:00
User Badges:
  • Cisco Employee,

Couple of quick comments:


1. I do not see 192.168.0.0 part of that inside_outbound_nat0_acl ACL.


2. I see a crypto map instance 40 with "incomplete" crypto map, which is actually missing a match address.


crypto map outside_map 40 ipsec-isakmp

crypto map outside_map 40 set peer 216.27.161.109

crypto map outside_map 40 set transform-set ESP-DES-MD5

! Incomplete


Not sure if this is the current configuration from the pix. If there is a crypto map instance with a incomplete match address, all traffic will be encrypted.


Regards,

Arul

vdinenna71 Tue, 11/06/2007 - 08:18
User Badges:

#1- might be the issue.


#2- is an old entry i haven't removed. The site used to be site2site. It's now ez vpn.


I'll add the access-list and see what happens.


thanks

vdinenna71 Tue, 11/06/2007 - 08:27
User Badges:

I think the ACL that was missing on the headend was the problem. I was able to PING the server on the 192.168.0.0 network. I wasn't able to do this before. I'm going to try to connect from the other side tonight.


thank very much for your help!


Vince

Actions

This Discussion