Site-to-site VPN trouble

Unanswered Question
Jun 30th, 2008
User Badges:


I'm having some trouble with a site-to-site VPN:

The two external ip addresses, and, can ping each other. But I can't seems to get the inside LANs ( and to find each other thru the tunnel.

Have misconfigured the VPN-tunnel or do I need to add some extra type of routing somewhere.

Also, I there a way to monitor the status of VPN-tunnel? I'm guessing there's tons of error messages somewhere that could be useful.

I've attached the importand parts of my config files


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

I think that the first second unit may be the cause of the problem it has two maps attemtping to the same peer, with overlapping maps.

I would remove this section of the config.

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

access-list outside_1_cryptomap extended permit ip host host

As that section is mapped to the host and not the network. Also that mapping is trying to map a host to what is a subnet address for the mask on both of your 192 networks.

That is where I would start.

I hope that helps.


a.alekseev Tue, 07/01/2008 - 11:12
User Badges:
  • Gold, 750 points or more

looks good...


conf t

logg mo 7


debug crypto isakmp 10

debug crypto ipsec 10

purohit_810 Tue, 07/01/2008 - 18:16
User Badges:
  • Silver, 250 points or more


You can go for VPN tracker software to monitor VPN tunnels.

Or you can implement SYSLOG server, so it could gives your logs when it connected and disconnected.

Or you Can implement ACS server for AAA.

Can you take your logs,

debug crypto isakmp

debug crypto ipsec


Dharmesh Purohit


This Discussion