VPN Tunnel Established Without Traffic Passing

Unanswered Question

I am working with a VPN tunnel between a Cisco 1710 (branch) and Cisco 2610 (HQ). The tunnel is UP, however, the branch is unable to browse to a site using internal IP hosted at HQ. There are other branch connections with Cisco 1710 routers that use similar, but not exact, configurations. I have gone through line by line, but unable to identify the failure. I am prepared to paste both configurations if someone would care to review.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
foxbatreco Fri, 06/20/2008 - 02:56
User Badges:
  • Bronze, 100 points or more

Is this an IPSEC tunnel?

if so , pls check the hitcounts on the acl relaying the traffic on either side to see traces of data & check if the ip's involved in the tunnel are denied from being involved in NAT.

Pls paste the configs, it will help to check further.

I apologize for the delayed response. I will paste the current configuration below. I would greatly appreciate any insight.

This is a branch that is connected to the Internet via cable with a dynamic (DHCP) assigned external IP address. There is a tunnel which is successfully established via dynamic map to the headquarters (HQ).

On the LAN Internet connectivity is good, however, they need to access a web (www) site on the internal LAN at HQ (Headquarters) which fails. The local subnet is 10.7.x.x amd tje remote subnet is 10.0.x.x and the internal site is

Unfortuantely, ping isn't available, so I can't test that, but I a traceroute shows the first hop does NOT appear to be routing properly. I have included the configuration of the branch office and at the bottom a snippet of another branch that can connect to the web site and an illustration of that routing, however, the difference is that that site has a static IP address (perhaps I have something routing wrong on the branch with the DHCP Internet access).

a.alekseev Thu, 07/03/2008 - 20:26
User Badges:
  • Gold, 750 points or more

sh crypto isakmp sa

sh crypto ipsec sa

saugato2000 Thu, 07/03/2008 - 21:32
User Badges:


From the config sent out with respect to Bransch office, it appears that the trace is taking a fisrt hop : Can u pls do a sh ip route and find out which interface is next hop for this IP.This subnet is not available in the router config of this branch office router, hence I would be qurious to know the same.

Also try once after disabling nat statements from both the internal and external interfaces. Pls do send in trace run post removing the NAT statements.

Pls post these details.

a.alekseev Fri, 07/04/2008 - 00:41
User Badges:
  • Gold, 750 points or more

by the way,

this is not correct.

ip route Ethernet0

on broadcast media you should use ip-address instead of intreface (in this case Ethernet0)

I have detailed troubleshooting attached as a file. I did remove the ip route and Internet connectivity is good. Removing the NAT statements did not appear to have any effect (other than dropping Internet connectivity).

So, I guess it boils down to where is the first hop coming from and how to get it to go through the correct gateway in order to get to the other side of the tunnel, because it appears that the first hop is what is causing the problem.

As an additional measure, I also try to add a specific route for that network, but that did not have any effect either (so, I reverted that change).

Trexlertown(config)#ip route 207.xxx.xxx.1


Trexlertown#wr mem

Building configuration...


Trexlertown#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 207.xxx.xxx.1 to network is variably subnetted, 2 subnets, 2 masks

C is directly connected, FastEthernet0

S [1/0] via 207.xxx.xxx.1

C 207.xxx.xxx.0/24 is directly connected, Ethernet0

S* [254/0] via 207.xxx.xxx.1

a.alekseev Thu, 07/10/2008 - 08:57
User Badges:
  • Gold, 750 points or more

You have a problem on HQ router.

Could you show the configuration?

a.alekseev Thu, 07/10/2008 - 10:06
User Badges:
  • Gold, 750 points or more

could you try add an option

crypto dynamic-map dynmap 14

set transform-set cm-transformset-2

match address 120

set reverse-route

reestablish vpn

and "sh crypto ipsec sa" on HQ

sh ip route

singhsaju Thu, 07/10/2008 - 10:06
User Badges:
  • Silver, 250 points or more

can you ping Branch router's inside interface ip address from HQ router sourcing from its inside interface


saugato2000 Thu, 07/10/2008 - 22:09
User Badges:


I strongly believe this is routing issue , probably on the HQ. Hence a reverse route issue. I also see Rip running.

So pls do a sh ip route on the HQ router fr the branch segment.

If it points correctly then, pls try pinging the branch interface. Also try finding out the 10.19.X.X segment on the HQ router which appears to be the fisrt hop on trace from branch router.

Also do a sh ip route fr on the branch router and paste the out puts here.

singhsaju Mon, 07/07/2008 - 10:53
User Badges:
  • Silver, 250 points or more

what is output for

show crypto ipsec sa ?

do you see pkts encrypted on one side and decrypted on the other side. Then its a routing issue . Check the routing for the subnet on the side where packets are getting decrypted.

saugato2000 Thu, 07/10/2008 - 22:16
User Badges:


Pls remove the route for that you have applied. Its is only complicating the issue. This is probably a hop somewhere on the HQ side.

Pls paste the outputs as I have requested.

One more thing is to create two loopbacks interfaces, one on the Branch with branch pool lan ip & other one on HQ router with HQ segment that is inaccesible. Both IPs should be /32 .

Then try pinging and tracing to those IP with source as loopbacks from both ends.

If the ping and trace reaches, we are more or less very near to the solution.


This Discussion