Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1064
Views
0
Helpful
5
Replies

VPN Tunnel Up but no access to resources

drikilbride
Level 1
Level 1

‎04-20-2010 03:13 AM

Hi

I have Site A and Site B connected with a Site to Site VPN.

Now the tunnel seems to be up but nothing is going between the two sites.

From site B I need to access resources on the 10.255.0.0 network. I have probably made a NAT change that is causing problems but I cant seem to spot it.

Users in Site B have full internet access so the line isn't an issue.

Thanks in advance

Labels:
63555-SiteB.txt.zip
63556-SiteA.txt.zip
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎04-20-2010 03:22 AM

On site B, you have 2 crypto map entries with exactly the same crypto ACL:

access-list outside_1_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 10.255.0.0 255.255.0.0
access-list outside_2_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.255.0.0 255.255.0.0

Crypto map sequence 1 and sequence 2 are matching the same traffic, however, it's going to different peers. This is not supported.

0 Helpful

drikilbride
Level 1
Level 1
In response to Jennifer Halim

‎04-22-2010 02:35 AM

Hi

Just coming back to you on this.

From the ASDM CLI I put in no access-list outside_1_ ....... and it said the command was completed successfully.

Although I still have the same problem.

When I look at the VPN Statistics on Site B I can see the TX value is 0 but the Rx value is increasing. So I am getting traffic from Site A, I just cant send traffic to it.

Site A corresponds to this, TX value is increasing but RX value is staying at 0.

Also when I ask the ASDM to display the running config in a new window I still see access-list outside_1_ there which I have just removed.

Thanks again for your help.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to drikilbride

‎04-22-2010 04:30 AM

Please remove "outside_map 1" crypto map all together:

no crypto map outside_map 1 match address outside_1_cryptomap_1
no crypto map outside_map 1 set pfs group1
no crypto map outside_map 1 set peer XXXXXXXX
no crypto map outside_map 1 set transform-set ESP-3DES-SHA

Then clear the tunnels: "clear cry ipsec sa" and "clear cry isa sa"

0 Helpful

drikilbride
Level 1
Level 1
In response to Jennifer Halim

‎04-22-2010 07:33 AM

Hi

I did all that but still no luck.

TX on SiteB 0, RX is increasing.

Here is the config for SiteB now.

Thank you.

63672-SITEB.TXT.zip
0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to drikilbride

‎04-23-2010 04:15 AM

Can you ping 192.168.1.1 from site A LAN?

Is site B LAN default gateway the ASA inside interface (192.168.1.1)? and also site B host, is there any personal firewall enabled (as sometimes it wouldn't allow inbound connection if it's on).

0 Helpful
Customers Also Viewed These Support Documents