×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPSec VPN Troubleshooting

Unanswered Question
Nov 15th, 2013
User Badges:
  • Silver, 250 points or more

So, I have a site-to-site tunnel, and I'm trying to verify end-to-end connectivity.


On the Initiating Side - SiteA, I can see this traffic hitting the internal interface on the local router, and I can see traffic hitting the Crypto ACL,

on the same router. So I'm assuming traffic from that specific host going to the other side's host on a specific port is making it through. On

Site B, the receiver, I can't see outbound traffic going out the LAN for some reason, where the other several tunnels on this router, I can see

traffic leaving outbound on the internal interface on Site B.


Can I run a debug, or anything, that could show traffc from Host A to Host B on SiteB router, with the specific port, and not just source/destination network?                  

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marius Gunnerud Fri, 11/15/2013 - 06:06
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Which devices are used to terminate the VPNs at both ends?  If these are routers and you are seeing the traffic go to the LAN on one side but not the other, then it might be that the crypto ACLs are misconfigured at one side or the other...or both for that matter.  If there are ASAs that are terminating the VPN then it could either be the crypto ACLs or a misconfigured NAT exempt statement.


Are you sure that the tunnel is up?


show crypto isakmp sa


Please rate any helpful posts

JohnTylerPearce Fri, 11/15/2013 - 06:18
User Badges:
  • Silver, 250 points or more

Yeah the tunnel is up, this has been verified. Traffic is currently passing through this tunnel without any problems, except for one port. I can see traffic coming from HostA to Hostb on UDP port 10000 match on an ACL I have on the internal interface, as well as the same traffic from HostA to HostB matching on the Crypto ACL with destination port UDP 10000.


But on the reciver, I have an ACL, that is looking for matching traffic from HostA to HostB on destination port UDP, outbound on the internal interface, and no matches can be seen. Although on several other Tunnels that are terminated on the HostB router, I can see matched perfectly fine.


It's really rather strange, I have verified no ACL issues either...

Marius Gunnerud Fri, 11/15/2013 - 06:22
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

would you be able to post a full sanitized configuration of both routers?

Actions

This Discussion