Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Router not passing ESP traffic

I am having a very strange problem, I hope someone can offer insight. I have a cisco 3845 w/IOS ver ipbase-12.4(2)XA which is directly connected to my ISP. Behind the router I have a vpn concentrator. I am having a problem passing ESP traffic over established LAN-to-LAN tunnels. I can initiate the tunnel from the concentrator and confirm that the tunnel completes phase II, however, when i try to ping the host on the other side i don't recieve any replies. The customer swears he sees the encrypted replies being sent to me, I put a sniffer on the public interface of the concentrator and don't see any ESP packets coming back from him (only the pings going out), I also sniffed the inside interface of the router and don't see his reply ESP packets. When I do a "show ip cache flow" I see that his return packets are hitting the external face of the router, but for some reason they never pass the router to the inside interface and onto the concentrator. The router is somehow dropping them. I have an acl on the external interface of the router, however, i confirmed that i am not blocking anything from this host (the other side of the VPN connection). I also went as far as putting a permit statement at the top of the ACL to allow all packets from this host. Still no luck. I am completely stumped by this prob, if anyone has any ideas please let me know. Thanks.

Hall of Fame Super Silver

Re: Router not passing ESP traffic


It might help us identify the problem if you could post the config of the router.



New Member

Re: Router not passing ESP traffic

Try this in your access list

access-list 123 permit gre any any

access-list 123 permit esp any any

access-list 123 permit ipinip any any

access-list 123 permit icmp any any

access-list 123 permit ip any any

to know for sure your permitting esp /gre. Obviously tailor access-list to your own environment as any any may not be appropriate. Failing that post your config.