L2L VPN up, but no Traffic

Unanswered Question
Jul 21st, 2008

Comming across a strange issue here. I have a VPN that connects a PIX 505 running PIX version 6.3(4) to two PIX 515Es with ver. 7.0(6). Both the PIX 505 and the 515Es show that a VPN connection is established between them (the 505 shows QM_IDLE). However, no traffic is flowing between the 505 and the 515Es. When I try to ping a client behind either device, I get no response. Earlier this morning, I was getting responses, and then out of the blue, everthying stopped. I have reset all devices and even blew away and redid the VPN Config on the 505, but still nothing. Again, they show the VPN as being connected, but I am getting no traffic across it. Any debug commands I could be checking?

Thanks in adavance,

Matt

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
singhsaju Mon, 07/21/2008 - 10:13

Hi Matt,

Post "show crypto ipsec sa" and the configs of both ends for which traffic is not working .

This could be a routing issue .

HTH

Saju

mbrown1138 Mon, 07/21/2008 - 10:52

Thanks for the quick reply. BTW, it's actually a 501 not a 505...sorry for any confusion.

Well, things get stranger still. In the middle of collecting the requested info the connection between the 501 and one of the 515s suddenly came alive and I started getting responses back from my ping requests. I am still having non-traffic issues between the 501 and the other 515 though.

Attached is the config for the 501 along with the sh ipsec ouput for all three devices. Note that public IPs have been changed for secturiy reasons. The 501's IP has been changed to 1.1.1.1 while the 515s have been changed to 2.2.2.2 and 3.3.3.3. Currently, the connection between 1.1.1.1 and 3.3.3.3 is showing traffic while 1.1.1. to 2.2.2.2 is still showing a VPN tunnel but no traffic.

Thanks again for your help!

singhsaju Mon, 07/21/2008 - 11:20

Your config looks ok to me. Are you able to ping the inside interface of 515s from 501 private network side ? This is a routing issue.

Check the default gateway on the devices you are pinging .If its a router in that network then that router must have have a route back to PIX for the remote subnet.

HTH

Saju

mbrown1138 Mon, 07/21/2008 - 14:31

Well...I don't know what to say. I blew away the VPN configs in the 501 and typed them back in EXACTLY the way they were before. I went to lunch, came back an hour later, and now, everything is working just as it should be. I am getting reposes back from both sides of the 515e's and the 501. So I don't know if it was some sort of caching issue with the Isakmp/Ipsec engines or what. But traffic across BOTH VPN tunnels appears to be working now. This is something I have never seen before, but I guess stranger stuff does happen.

Thanks for you help.

Actions

This Discussion