I've got an 1841 connected via EasyVPN to our ASA. The EasyVPN connection is setup in network extension mode with no split-tunneling. The problem I'm having is that the traffic is not being directed into the tunnel. If I do a traceroute on the traffic it seems to never reach a next-hop. I'm kind of confused because the tunnel is built and connected.
Any ideas? All of my other EasyVPN tunnels are operting correctly except these two 1841s.
I would start by looking at the negotiated IPSec SAs on client and server. Do you see packets being encapsulated on the spoke but not decapsulated on the hub or vice versa? If so, ESP or UDP4500 traffic may be getting blocked along the path between the peers. If all of the counters are zero, you will want to double check your routing and NAT configuration.
If I ping from the spoke I see the packet's encap'd and encrypt'd. I'm seeing the packets decap'd and decrypt'd at the hub. But the encap counter at the hub is still 0. What I think this means is that the spoke is correctly sending packets, the hub is correctly receiving the packets, but the hub is not responding and sending back encapsulated packets.
This is usually due to a routing, NAT, or packet filtering issue. You can always perform a packet capture on the hub host to validate that your test traffic is being received and replied to. You can then configure an input ACL with logging on the hub router inside interface to confirm that the traffic in question is being received. If it is, you will want to review the above three items for accuracy. Feel free to post your config if you want me to review.
I feel like a giant idiot, but I found out what the problem was. I'm going to swallow my pride and just own up to it.
I have been configuring these two routers by consoling into them, and because of that I did not have anything plugged into the Ethernet inside interface. So the tunnel was built, but pings were failing. I plugged up a laptop to test it, and magically it worked. I suppose that either adding a loopback interface as an inside interface or just plugging a computer up to test would it would have solved this issue.
Thanks for posting back to the forum and indicating that you had solved the problem and what it was that solved the problem. It makes the forum more useful when people can read about an issue and can then read an explanation of what the problem was and what was done to solve the problem. In this case it may be especially helpful as it reminds us that sometimes the problem is as simple as an interface being down (because nothing was plugged into the interface).You may have swallowed a bit of pride but you have been helpful to the forum.
I have defintely done that before. Trying to ping the SVI without a PC connected. The easiest approach to testing as you said is to configure a pair of loopback interfaces and then source ping in order to confirm that the tunnel is working.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :