Yudong Wu Fri, 09/25/2009 - 07:51
User Badges:
  • Gold, 750 points or more

1. make sure there is no ACL to block your ping packet.

2. Check the routing in both direction.

3. check "show crypto ipsec sa" to see if both encry and decry counter are incrementing when you are doing ping testing.

eoinwhite Mon, 09/28/2009 - 03:00
User Badges:

There are no ACL's on HQ side besides those on the firewall permitting the tunnel ports:

access-list VPN permit icmp any host

access-list VPN permit udp any host eq 10000

access-list VPN permit udp any host eq isakmp

access-list VPN permit esp any host

I have static routes (for the remote subnet) on the HQ side on the core switches pointing at the concentrator and on the VPN concentrator pointing out the public interface and on the PIX pointing out the public interface.

I'm not sure if the routing around the DMZ/concentrator is set up correctly.

When doing a trace route from HQ to the remote inside address the packets get dropped at the concentrator.

The "show crypto ipsec sa" doesnt seem to even show counters for encryption & decryption on the 877.

eoinwhite Wed, 09/30/2009 - 08:21
User Badges:

The trouble was the any in my access-list the. Either the Concentrator or the router didn't like it so I changed it to

Also I changed the static route on the concentrator pointing to remote inside vlan to the next hop rather than the exit interface.

Don't know why it worked but it did.


This Discussion