Site-to-site VPN Connection Problem

Unanswered Question
Mar 21st, 2010
User Badges:

Hi All,

Got a site-to-site VPN problem. My main main site has  site-to-site VPN connection to two remote sites. It also acts as VPN server to remote clients.

Main site uses Pix 515e while the remote sites both have Pix 501. All connections was working perfectly but all of a sudden the site-to-site connections went down. /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} We were able to get Phase 1 going, but no packets seem to be making it across the VPN.  "Show cry ipsec sa" at the main site shows packets being decapsulated, but there is no corresponding encapsulation. While on the two remote sites, no decapsulation is taking place, Only Encapsulation.  I have verified the crypto map access lists to identify the interesting traffic, verified the traffic is in a "no nat" statement, that sysopt connection permit-ipsec is on, and that the isakmp keys match, and the ip addresses are correctly entered....transform sets and isakmp policys match.I don't know if I'm still missing something  in the config. Both the site-to-site connection went down at the same time.On the other hand, no problem is encountered by the remote vpn users. I have attached the configuration for the main site and Site B.Unfortunately I cannot get a copy of the config on the other remote site.

Thanks !

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Sun, 03/21/2010 - 20:58
User Badges:
  • Cisco Employee,

Hi Lloyd,

On your main site, there is overlapping crypto ACL statements:

"crypto map outside_map 40 match address outside_cryptomap_40" overlaps with "crypto map outside_map 80 match address outside_cryptomap_80", and they are terminating 2 different peers.

"outside_cryptomap_40" ACL is exactly the same as "outside_cryptomap_80".

Hope that helps.

oyd110380 Sun, 03/21/2010 - 23:14
User Badges:

Hi Halijenn,

Thanks for your reply. Still encountering the same problem. Regarding the crypto-acl issue, I checked the config

on the main site and those ACL that you pointed out are actually different. May have made a mistake while transferring the config to notepad.

Sorry for that. Anyway I'm re-attaching the config of main site.


Jennifer Halim Sun, 03/21/2010 - 23:23
User Badges:
  • Cisco Employee,

Looking through the config, you are using ip pool for remote access in the same subnet as your internal and the other site LAN, which is not recommended. For remote access ip pool, please configure a unique subnet for it. Configuring ip pool in the same subnet as your internal network and/or same subnet as the remote LAN site could cause lots of issue.

Also, perform "clear cry ipsec sa" and "clear cry isa sa" after making the changes.

oyd110380 Mon, 03/22/2010 - 01:41
User Badges:

Hi Halijenn

Just change the ip pool for remote clients and issued "clear crypto ipsec sa" and "clear crypto isakmp sa" , unfortunately we are still encountering the same problem. No Encapsulation on the main site, only decaps. Any other ideas?

Really appreciate your inputs.


Jennifer Halim Mon, 03/22/2010 - 01:55
User Badges:
  • Cisco Employee,

What traffic did you try to pass from the remote site towards the main site?

Do you mind sharing the complete configuration of the main site. Thanks.

oyd110380 Mon, 03/22/2010 - 03:02
User Badges:

Here is the config from the main site with some changes to the IP addressing. For the Ip Pool of remote clients I have used vpnpool2.

Have also tried using  "identity address" to no avail.


Jennifer Halim Mon, 03/22/2010 - 03:10
User Badges:
  • Cisco Employee,

Sorry, but seems like the configuration does not match to the changes that you have performed. The reason why I say that is because if you don't include the whole configuration, there might be overlapping ACL, etc and it's difficult to just view part of the configuration and advise you the issue.

Please also send through the complete output of "show crypto ipsec sa". Thanks.

oyd110380 Tue, 03/23/2010 - 00:55
User Badges:

I'm reattaching it again.This is the original config when VPN connection failed. I revert back to it since the changes that I made did not work.

Things that I have done are used vpnpool2(different subnet for remote vpn clients). Used " identity address" instead of hostname for both Pix Firewalls.

Those changes no longer reflect in the attached config. Attached also is the "sh crypto ipsec sa" command.

Additional Question. With regards to Remote vpn client users, Once they have established VPN connection with the Easy VPN server(which is the PIX at the main site), will they also be able to access resources to the two other site that have a site-to-site VPN connection with the  main site?

Jennifer Halim Tue, 03/23/2010 - 04:39
User Badges:
  • Cisco Employee,

The version of software that you are currently running on your PIX does not support traffic from remote access vpn client towards the remote site via the LAN-to-LAN tunnel. In version 7.0 and above, you can configure "same-security-traffic permit intra-interface", plus adding the correct crypto ACL on the site to site tunnel for the vpn client access to the remote site via the lan-to-lan tunnel.

In regards to the LAN-to-LAN tunnel, can you please advise what type of traffic you are trying to send across the tunnel?

Can you also  make sure that default gateway for your main site LAN has not change? it is still as per the config? From the remote site, can you ping

Also can you add "fixup protocol icmp error". Thanks.


This Discussion