×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

EasyVPN Not Passing a Subnet

Unanswered Question
Jun 4th, 2010
User Badges:

I've got my ASA 5505 acting as an EasyVPN server and I have multiple remote clients configured and I can pass traffic to all of them from my 10.10.0.0 /16 subnet except to a single remote client (10.154.139.0 /24).


When I check my ezvpn1 access-list everything looks in order. When I do a traceroute from the 10.10.0.0/16 subnet I can see that the traffic is reaching the outside interface of the ASA server, but it's not hitting the Internet next hop, so I know it's getting picked up for nonat, but for some reason it's not getting picked up and sent across the tunnel. I've included my config if anyone can take a look and see why traffic from 10.10.0.0 /16 is not getting sent across the tunnel bound for 10.154.139.0 /24.


Stumped,

Robert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tprendergast Fri, 06/04/2010 - 12:18
User Badges:
  • Silver, 250 points or more

Try adding:


route inside 10.154.139.0 255.255.255.0 10.100.154.1 1


Let us know if that works.

Robert Juric Fri, 06/04/2010 - 13:33
User Badges:

Doing that normally breaks the tunnels, but just for S&Gs I tried it to no avail.


Robert

tprendergast Fri, 06/04/2010 - 13:39
User Badges:
  • Silver, 250 points or more

Can you access the other side device? Are you sure that remote system is not natting your traffic back or sending it to the internet instead of across the return tunnel? I'd check the remote side and make sure the traffic got there, decrypted, and was processed. Then check if it re-encrypts back out, or if it just sends it out to the internet incorrectly.


That route was a stab in the dark, since that subnet is the only one I saw that wasn't set to an inside route path.


What is the source IP you are trying, and the destination IP you are trying to reach?


IE, are you sourcing a ping from 10.10.1.1 to 10.154.139.1?

Robert Juric Fri, 06/04/2010 - 13:57
User Badges:

I am trying to reach 10.154.139.1 /24 from 10.10.1.1 /16, which is not making it through the tunnel. However if I jump over to another subnet I can source a ping from 10.100.154.1 /16 to 10.154.139.1 /24 without any problems. I don't think it's a tunnel issue but for some reason the 10.10.0.0/16 subnet will not pass through the tunnel.


Robert

tprendergast Fri, 06/04/2010 - 14:02
User Badges:
  • Silver, 250 points or more

My supposition is that the issue is on the other side.


Do: sh crypto ipsec sa


Do you see the pkts encaps increasing with your ping attempts? If so, it's encrypting it and sending it over the tunnel but pkts decaps should probably be low or 0 if it is not coming back across the tunnel.

Actions

This Discussion