EasyVPN Not Passing a Subnet

Unanswered Question
Jun 4th, 2010

I've got my ASA 5505 acting as an EasyVPN server and I have multiple remote clients configured and I can pass traffic to all of them from my 10.10.0.0 /16 subnet except to a single remote client (10.154.139.0 /24).

When I check my ezvpn1 access-list everything looks in order. When I do a traceroute from the 10.10.0.0/16 subnet I can see that the traffic is reaching the outside interface of the ASA server, but it's not hitting the Internet next hop, so I know it's getting picked up for nonat, but for some reason it's not getting picked up and sent across the tunnel. I've included my config if anyone can take a look and see why traffic from 10.10.0.0 /16 is not getting sent across the tunnel bound for 10.154.139.0 /24.

Stumped,

Robert

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tprendergast Fri, 06/04/2010 - 12:18

Try adding:

route inside 10.154.139.0 255.255.255.0 10.100.154.1 1

Let us know if that works.

Robert Juric Fri, 06/04/2010 - 13:33

Doing that normally breaks the tunnels, but just for S&Gs I tried it to no avail.

Robert

tprendergast Fri, 06/04/2010 - 13:39

Can you access the other side device? Are you sure that remote system is not natting your traffic back or sending it to the internet instead of across the return tunnel? I'd check the remote side and make sure the traffic got there, decrypted, and was processed. Then check if it re-encrypts back out, or if it just sends it out to the internet incorrectly.

That route was a stab in the dark, since that subnet is the only one I saw that wasn't set to an inside route path.

What is the source IP you are trying, and the destination IP you are trying to reach?

IE, are you sourcing a ping from 10.10.1.1 to 10.154.139.1?

Robert Juric Fri, 06/04/2010 - 13:57

I am trying to reach 10.154.139.1 /24 from 10.10.1.1 /16, which is not making it through the tunnel. However if I jump over to another subnet I can source a ping from 10.100.154.1 /16 to 10.154.139.1 /24 without any problems. I don't think it's a tunnel issue but for some reason the 10.10.0.0/16 subnet will not pass through the tunnel.

Robert

tprendergast Fri, 06/04/2010 - 14:02

My supposition is that the issue is on the other side.

Do: sh crypto ipsec sa

Do you see the pkts encaps increasing with your ping attempts? If so, it's encrypting it and sending it over the tunnel but pkts decaps should probably be low or 0 if it is not coming back across the tunnel.

Actions

This Discussion