ā09-22-2010 11:01 AM - edited ā02-21-2020 04:52 PM
HI
i have multimesh ipsec vpn over pix ,asa and 2811 routers between various sites ,for a new site with Asa 7.2.4
but suprisingly when i initiate traffic from asa side tunnel is up and host between the sites can ping each other.
When the session is end or isakmp sa is cleared and a initiate from other sites are attempted VPN tunnel is up bt cannot ping from any remote site.
anyone faced this before ? nat traversal ,sysopt all of them are enable, pfs is disabled
ā09-22-2010 12:52 PM
I've seen that you can only initiate a tunnel from one side on some cases:
1. When having the initiator-only command
2. When doing PAT through the VPN tunnel
3. When having IPsec redundancy
Maybe you have one of the above scenarios?
Federico.
ā09-23-2010 08:28 AM
Hi,
you say that if you ping from a remote site the tunnel comes up but the ping fails. Can you confirm that the IPsec tunnel is really up i.e. you have bi-directional IPsec SAs? If so can you see the ping packets being encrypted at the remote site device?
ā09-23-2010 10:25 AM
Hey ,
can you confirm if the NAT exemption has been configured properly for both ends? Also check the crypto acls on both ends. It should be one of these issues. As i understand, when the tunnel is initiated from the router end, the tunnel comes up but you are unable to ping anything? In case the nat exempt acl and crypto acl are configured correctly, please check for the "ip nat inside source" statement on the router. there should be only one patting statement for the crypto map interface. In case there are multiple statements, then remove the one that is not having the nat exempt acl in it.
ā09-24-2010 06:13 AM
Thanks a Ton guys for your replies ,i have finally made it work
My mistake i had created the dynamic ipsec-isakmp on the same cryptomap with a sequence no 1 ,it just left me it should come least order with the static
it works fine now
thanks again
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: