Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Could not PING servers on the LAN form a VPN Client

Hi All,

Users are not able to ping servers on the LAN when connected via VPN to ASA5510 configured are Active/Standby failover pair. They could connect via VPN but couldn't PING or launch Microsoft Outlook. I included the command "crypto isakmp nat-traversal 20" but users still could PING. I increased the value to 360. Still no luck.

Also, four out of the six L2L tunnels came up and I could pass traffic over them. But two came up and goes down in less than half a second. For the remaining two, I got the following errors in the ASA log:

4|Jun 07 2008|15:58:44|113019|||||Group = 220.x.x.194, Username = 220.x.x.194, IP = SHANGHAI-PIX, Session disconnected. Session Type: IKE, Duration: 0h:00m:32s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Error

3|Jun 07 2008|15:58:44|713902|||||Group = 220.x.x.194, IP = 220.x.x.194, Removing peer from correlator table failed, no match!

1|Jun 07 2008|15:58:44|713900|||||Group = 220.x.x.194, IP = 220.x.x.194, construct_ipsec_delete(): No SPI to identify Phase 2 SA!

3|Jun 07 2008|15:58:44|713902|||||Group = 220.x.x.194, IP = 220.x.x.194, QM FSM error (P2 struct &0xd5830b58, mess id 0x8508c326)!

From the log in the ASDM, I was asked to contact the Cisco TAC if the problem persists.

Any ideas on what I might be doing wrong would be much appreciated.

Find attached my config as well.

Best regards.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Could not PING servers on the LAN form a VPN Client

WoW! pretty long config there :).

Try to check your split tunnel ACLs, also what is the point of split tunneling (specified) if your ACL = any? Why not leave out the split tunneling altogether?

Also for the Site to Site VPNs, why do you have two crypto maps for each site? 3DES/DES?

Seems to be a Phase 2 mismatch. Also make sure PFS is enabled on both sides and using the same DH group (phase 2 DH group).

Regards

Farrukh

6 REPLIES

Re: Could not PING servers on the LAN form a VPN Client

WoW! pretty long config there :).

Try to check your split tunnel ACLs, also what is the point of split tunneling (specified) if your ACL = any? Why not leave out the split tunneling altogether?

Also for the Site to Site VPNs, why do you have two crypto maps for each site? 3DES/DES?

Seems to be a Phase 2 mismatch. Also make sure PFS is enabled on both sides and using the same DH group (phase 2 DH group).

Regards

Farrukh

New Member

Re: Could not PING servers on the LAN form a VPN Client

Thanks for your response Farrukh. I have modified the crypto maps.

I want split tunneling for the VPN clients. How do I tidy up my config in order to allow split tunneling?

Best regards.

Re: Could not PING servers on the LAN form a VPN Client

New Member

Re: Could not PING servers on the LAN form a VPN Client

Hi,

I have a doubt on your ST acl's...

That's y u r facing QM FSM errors.

do mention your networks in ST Acls ( without use any)

HTH

New Member

Re: Could not PING servers on the LAN form a VPN Client

Thanks everyone for your help.

I removed the "any" and specified the networks I want VPN users to access behind the ASA, disabled PFS for the site-to-site VPN and removed duplicated crypto maps and a few more tweaking and that fixed the problem.

Regards.

New Member

Re: Could not PING servers on the LAN form a VPN Client

after connecting the through the vpn clinet just check the statistics of the vpn client that whether you are getting the required routes in that.

149
Views
0
Helpful
6
Replies
CreatePlease login to create content