Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13249
Views
0
Helpful
4
Replies

Site to Site VPN Tunnel

Jason Klingberg
Level 1
Level 1

‎06-08-2010 07:10 AM - edited ‎03-04-2019 08:42 AM

Hello Everyone,

I'm hoping someone will be able to help me figure out an issue that I'm having. I'm sure it's something simple that I'm missing.  What I have is a site to site vpn tunnel between a Cisco 2801 and a Cisco 1841 router.  The tunnel itself is up and running without a problem.  My issue is that I am unable to get traffic across the tunnel between the two sites.  For instance, I try to ping a computer in Site B from Site A and I get no response.  Try to run a tracert in Windows and it drops off at the router and goes no where.

Any ideas on what I may be missing?  I know the configuration information will help so let me know which pieces you'll need to see for that.

Regards,

Jason

Labels:
0 Helpful
4 Replies 4

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎06-08-2010 07:20 AM

Jason,

Check on both routers the output of the command ''sh cry ips sa''

Sometimes one side is encrypting packets but the other side is not, so that will let us know where the problem is.

Also, if you cannot pass traffic through the tunnel, normally is one of this problems.

- check the routing

- check that you're bypassing NAT for the interesting traffic (in case you're doing NAT)

- check that the default gateway for the internal LANs on both sides are the respective routers

- check that ESP and ISAKMP 500 and ISAKMP 4500 are not being blocked.

Federico.

0 Helpful

Latchum Naidu
VIP Alumni
VIP Alumni
In response to Federico Coto Fajardo

‎06-08-2010 07:46 AM

Hi Jason,

Check the ISAKMP first phase "sh cry isa sa" and second phase "sh cry ipsec sa"

Phase1:

* Assuming you use preshared key, make sure the remote VPN peer IP address and key match between two VPN device configuration
* Check the Phase 1 VPN tunnel up/down status between two sites. In Cisco equipment, you can issue the show crypto isakmp sa command or feature which will show the up/down tunnel status between local VPN peer IP address and remote VPN peer IP address.
* Issue simple connection test to the remote site (the remote VPN peer IP address) such as ICMP ping and traceroute (whenever possible)
* Reboot one or both VPN devices sometime might solve VPN connectivity issue

Phase2:

* Make sure the data source and destination IP addresses or subnets match the regulating access list
* Check the data passing process between the two sites. In Cisco equipment, you can issue the show crypto ipsec sa command or feature which will show the SA (Security Association) between encrypted traffic (outgoing data) and decrypted traffic (incoming data)

Regards,

Naidu.

0 Helpful

Jason Klingberg
Level 1
Level 1
In response to Federico Coto Fajardo

‎06-08-2010 10:48 AM

I have a new tidibit to add that I just noticed as I was gathering some more information together.  The status of the tunnel comes up saying that it is UP-ID

LE, not UP-ACTIVE.

Thoughts?

I'm working on cleaning up the configs in terms of blanking out some info that's not pertinent and will post those shortly.

Jason

0 Helpful

Chetan Kumar Ress
Level 4
Level 4

‎06-08-2010 07:41 AM

Hi

Can you post the ACL that you configured in both router for intresting traffic and if you.

Regards

Chetan kumar

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card