IPsec - L2L - 3030 to 3620 - Phase 2 Complete - One way traffic

Jonathan Marchand · ‎05-19-2009

Hello,

I have an existing L2L VPN setup with a Cisco 3030 and a Cisco 3620. It has been working fine for the last few weeks.

A few days ago, the tunnel dropped and now I only see traffic in one direction. There's no error messages in debug on either routers and I'm not sure where to go from here.

I can see the VPN establish, Phase 2 is completed on both sides.

I can see traffic leave the 3030 but I never get anything back from the 3620.

Doing a packet capture on the 3620 I see no IPsec packets leave the router to the 3030, it is simply not tunneling the traffic.

"Network lists" on both devices are set the same, networks:

10.0.0.0/0.255.255.255

172.16.0.0/0.15.255.255

and

192.168.5.0/0.0.0.255

There is no firewall in front of the 3620, packets are simply not leaving the router.

The 3620 has a single interface, it is a "router on a stick", I'm not sure if this could be causing any issues.

I've attached the 3620 config.

Anyone has any idea?

Thanks!

Jonathan.

pompeychimes · ‎05-20-2009

Are the packets you don't see being returned initiated from the concentrator or a device behind the concentrator?

Any NAT going on?

Jonathan Marchand · ‎05-21-2009

Thanks for the reply - Turns out one end of the VPN was behind NAT, NAT-T was turned on the 3030 and the issue went away.

Not sure how this worked for a few weeks without NAT-T.

It's all good now, cheers!

mbroberson1 · ‎05-26-2009

Excellent! NAT-T can be one of those little things that frequently get's over looked.

This is a really good document for understanding the steps (order of operation).

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

HTH,

-Brandon