×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN showing MM_ACTIVE on both sides (5505 connecting to 5510) but cannot ping or access any hosts

Unanswered Question
Nov 5th, 2014
User Badges:

I have an ASA 5505 and a 5510 connected in an l2l vpn.

I am unable to ping hosts from either side.

I do have icmp allowed on both sides.

 

Here is my config on the 5505:

crypto map outside 10 match address XXX
crypto map outside 10 set peer xxx.xxx.xxx.xxx
crypto map outside 10 set transform-set ESP-3DES-SHA

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 30 retry 2

 

And on the 5510:

crypto map outside 5 match address XXX
crypto map outside 5 set peer xxx.xxx.xxx.xxx
crypto map outside 5 set transform-set ESP-3DES-SHA

 

Here is my output of sh ipsec sa on the initiator side:

interface: outside
    Crypto map tag: outside, seq num: 5, local addr: xxx.xxx.xxx.xxx

      access-list Starnet extended permit ip xxx.xxx.xxx.xxx 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.0
      local ident (addr/mask/prot/port): (xxx.xxx.xxx.xxx/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (xxx.xxx.xxx.xxx/255.255.255.0/0/0)
      current_peer: xxx.xxx.xxx.xxx

      #pkts encaps: 137, #pkts encrypt: 137, #pkts digest: 137
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 137, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: xxx.xxx.xxx.xxx

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 7706CD01
      current inbound spi : CE605279

    inbound esp sas:
      spi: 0xCE605279 (3462419065)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 98324480, crypto-map: outside
         sa timing: remaining key lifetime (kB/sec): (4374000/27939)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x7706CD01 (1996934401)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 98324480, crypto-map: outside
         sa timing: remaining key lifetime (kB/sec): (4373985/27939)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

 

 

 

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Karsten Iwen Wed, 11/05/2014 - 12:24
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

The IPSec SAs on the initiator side shows that you send traffic through the tunnel, but you don't get anything back. So you have to troubleshoot on the other side:

  1. Is icmp configured to be statefull or is echo-reply allowed on the inside ACL?
  2. Is your NAT-Exemption in place?
  3. Does the answer-packet get back to the ASA? The internal routing could be wrong also.

Actions

This Discussion