×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

SITE TO SITE VPN INITIATION ISSUE

Unanswered Question
Aug 12th, 2013
User Badges:

Hi All,


We are having trouble with a site to site VPN as follows:


PROBLEM

In this example we will use site A and site B. We have a Pix 515E at site A and a Cisco 1801 at site B with a site to site between the two. If we ping from site B to site A then the tunnel comes up and we can ping in either direction and traffic flows in both directions. If we try to ping from site A to site B to bring up the tunnel then the pings will fail. So, put another way we can only initiate the tunnel from site B.


TROUBLE SHOOTING SO FAR

We have checked the NAT and ACLs, all of which seem fine and seem comparable with other configs on working systems in the field.


Anyone have any suggestions or possible causes?


regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fb_webuser Mon, 08/12/2013 - 16:17
User Badges:
  • Silver, 250 points or more

Can you post the configs? Also when behind the 1801, when you try to ping does the tunnel come up? What is showing when you do a show crypto ipsec or isakmp?


Also might try debug crypto ipsec/isakmp and try initialize tunnel. That debug should/would tell you the exact cause. Lastly, are you trying ping from the 1801 to the PIX, or a device behind the PIX?


---

Posted by WebUser Sean Waite from Cisco Support Community App

tech01cisco Tue, 08/13/2013 - 04:52
User Badges:

Hi All,


Please find answers to questions so far and the config for the 1801.


We can ping from either a PC behind the 1801 or from the 1801 directly, either will bring up the tunnel. Alternatively if we ping from the Pix we can not initiate the tunnel. We have run debug on the 1801 but it shows nothing as it seems the traffic is not getting over the VPN to the 1801. Just to recap; our problem is that we can not initiate the tunnel from the Pix side, only from the 1801 side. Here is the sanitised config:


rt23#sh run

Building configuration...



Current configuration : 6871 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname rt23

!

boot-start-marker

boot-end-marker

!

logging buffered 52000

enable secret XXXXXXXXXXXXXXXX

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00

!

!

!

dot11 syslog

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 172.16.99.1 172.16.99.10

ip dhcp excluded-address 172.16.99.240 172.16.99.254

!

ip dhcp pool LAN23

   network 172.16.99.0 255.255.255.0

   default-router 172.16.99.1

   dns-server 172.16.99.1

   domain-name XXXXX

!

!

ip name-server 208.67.220.220

ip name-server 208.67.222.222

ip inspect tcp reassembly queue length 128

ip inspect tcp reassembly timeout 10

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 3600

ip inspect name myfw udp timeout 15

ip inspect name myfw h323 timeout 3600

ip inspect name myfw sip

ip inspect name myfw icmp

ip inspect name myfw tcp timeout 3600

ip inspect name myfw http timeout 3600

ip ddns update method ddns

HTTP

  add http://XXXXXXXXXXXXXXXXX

interval maximum 0 0 10 0

interval minimum 0 0 5 0

!

!

multilink bundle-name authenticated

!

!

username XXXXXXXXXXXXXXXXXX

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key XXXXXXXXXXXX hostname ZZZZZZZZZZZZ

crypto isakmp keepalive 20 5

crypto isakmp nat keepalive 20

!

!

crypto ipsec transform-set SET23 esp-3des esp-sha-hmac

!

crypto map MAP23 10 ipsec-isakmp

set peer ZZZZZZZZZZ dynamic

set transform-set SET23

set pfs group2

match address 100

!

archive

log config

  hidekeys

!

!

!

!

!

interface Loopback0

ip address 10.0.0.1 255.255.255.255

!

interface FastEthernet0

description PPPoE Interface

ip address dhcp

shutdown

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet1

switchport access vlan 10

!

interface FastEthernet2

switchport access vlan 10

!

interface FastEthernet3

switchport access vlan 10

!

interface FastEthernet4

switchport access vlan 10

!

interface FastEthernet5

switchport access vlan 10

!

interface FastEthernet6

switchport access vlan 10

!

interface FastEthernet7

switchport access vlan 10

!

interface FastEthernet8

switchport access vlan 10

!

interface ATM0

description DSL Modem

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no ip mroute-cache

atm vc-per-vp 128

no atm ilmi-keepalive

pvc 0/38

  no oam-pvc manage

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

dsl operating-mode auto

hold-queue 224 in

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 172.16.99.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

description Virtual DSL Interface

ip ddns update hostname XXXXXXXXX

ip ddns update ddns

ip address negotiated

ip access-group Internet-In in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect myfw out

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname XXXXXXXXX

ppp chap password XXXXXXXXX

ppp pap sent-username XXXXXXXXX

ppp ipcp dns request

crypto map MAP23

crypto ipsec df-bit clear

hold-queue 224 in

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

ip http server

ip http authentication local

ip http secure-server

ip dns server

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

!

ip access-list extended Internet-In

permit icmp any any echo-reply

permit tcp any any established

permit udp any any eq bootps

permit udp any any eq bootpc

permit esp any any

permit udp any any eq isakmp

permit gre any any

permit tcp any any eq 2221 log

permit udp host 192.53.103.104 eq ntp any eq ntp

permit tcp any any eq 22

permit udp any any eq domain

permit udp any eq domain any

permit ip host XXXXXXXXXX any log

!

access-list 100 permit ip 172.16.99.0 0.0.0.255 172.16.0.0 0.0.0.255 log

access-list 101 remark CCP_ACL Category=16

access-list 101 deny   ip 172.16.99.0 0.0.0.255 172.16.0.0 0.0.0.255 log

access-list 101 permit ip 172.16.99.0 0.0.0.255 172.16.0.0 0.0.0.255 log

access-list 101 permit ip 172.16.99.0 0.0.0.255 any

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

!

!

!

control-plane

!

!

line con 0

logging synchronous

line aux 0

line vty 0 4

password XXXXXXXX

transport input ssh

!

ntp update-calendar

ntp server 172.16.0.1 source Vlan10

end



===================================================================================


Thanks again,

Actions

This Discussion