Site-to-Site VPN Tunnel comes up but no traffic

Unanswered Question
Dec 17th, 2007

I am setting up a site to site VPN Cisco 3825 router to Sonic Wall Pro 4060 firewall. The VPN tunnel comes up great with no erros, but there are no encaps or decaps...just send and recieve errors when each end tries to establish connectivity. Any help would be greatly appreciated.

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mbroberson1 Tue, 12/18/2007 - 05:23

Thanks for your reply. I feel the crypto ACL's on my side are correct. I'll have to see if I can get the remote Sonic Wall side config. Attached is a config from my lab that is very much like what I am using for the production setup.

mbroberson1 Tue, 12/18/2007 - 06:12

Thanks for the info. So you think my side looks ok? Strange that it works in my lab Cisco to Cisco.

Richard Burts Tue, 12/18/2007 - 13:03


I have not done the combination of VPN and static NAT that you are doing. From your comment am I correct in assuming that you have this set up in your lab and it is working correctly to translate and to protect with IPSec VPN?

I also wonder a little about your comment that the config that you posted is from a lab router that is very much like the production environment. It might be good to think carefully about what things are not exactly the same and whether any of these differences might be affecting things.

On the production router where it is not working are you getting hits on the ACL that identifies traffic for VPN (in the lab it is ACL 100)?

It might be helpful if you could post the output of show crypto map and the output of show crypto ipsec sa.



mbroberson1 Tue, 12/18/2007 - 13:11


Thanks for your reply. I just found what the issue was. I had to add my static route and am now getting encaps and decaps.

Richard Burts Tue, 12/18/2007 - 13:33


I am glad that you have figured out what the issue was. Frequently it is the small things (like the static route - which seems un-important when you are addressing complex things like IPSec) that turn out to be the problem.

Congratulations on getting it working.



mbroberson1 Tue, 12/18/2007 - 13:45


The static nat with IPSec/VPN's works really well. It is only available with a fairly recent IOS version. I really comes in handy when you have an internal host that is accessed over several VPN's and you are nating on one of those VPN's and not the others.


This Discussion