Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Can Ping SVI but not end hosts over IPsec VPN


I am getting a very wierd issue over a VPN:

Headend: ASA5510

Encrypted networks:

Remote: 3560-X

(originally I had it as any network as I wanted to get all traffic outbound from the remote site to come through the vpn, I have now changed this to the below but I would like to put it back to 'any')

Phase 1 up

Phase 2 up

I can ping from a host at the headend to the remote site SVI's no problem but can't ping from the headend to any device attached to the switch, the devices attached to the switch currently are phones and wireless AP's but I have had the same result using a windows laptop.

I have checked all the configuration a 100 times and just can't understand it, has anyone seen this issue before?

Important bit of configs below:

Headend 5510:

tunnel-group type ipsec-l2l

tunnel-group general-attributes

default-group-policy LDN-GP

tunnel-group ipsec-attributes

pre-shared-key *****

group-policy LDN-GP internal

group-policy LDN-GP attributes

vpn-filter none

ipv6-vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec

crypto map outside_map 50 match address LDN-CRYPTO-ACL

crypto map outside_map 50 set peer

crypto map outside_map 50 set transform-set ESP-AES-256-SHA

access-list LDN-CRYPTO-ACL extended permit ip

access-list LDN-CRYPTO-ACL extended permit ip

access-list LDN-CRYPTO-ACL extended permit ip

nat (inside,outside) source static S-NETWORKS S-NETWORKS destination static LDN-NETWORKS LDN-NETWORKS

object network S-NETWORKS


object network LDN-NETWORKS


sysopt connection permit-vpn

Remote 3560:

crypto isakmp policy 10

encr aes

hash sha256

authentication pre-share

group 5


crypto isakmp policy 20

encr aes 256

authentication pre-share

group 2

crypto isakmp key XXX address


crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac


crypto map HEAD-OFFICE 10 ipsec-isakmp

set peer

set transform-set ESP-AES-SHA


ip access-list extended HEAD-OFFICE-CRYPTO-ACL

permit ip

permit ip

permit ip

Routing table is showing all connected networks and the default route to the ISP gateway so traffic goiung to the should use the deault route.

No NATing configured as I don't want local breakout (and 3560 doesn't support)

All ACL's have been removed off the interfaces.

I do have auto qos configured, not changed any of the defaults.


Re: Can Ping SVI but not end hosts over IPsec VPN

please paste the output for

sh cry isa sa

sh crypto ipsec sa

from both the devices

you mean to say you have configured NAT or configured NO NAT  or did not configure NO NAT at all ..was not able to understand that ?

New Member

Re: Can Ping SVI but not end hosts over IPsec VPN

Thanks a lot for your reply, unfiortunately I don't have access to the kit right now but as I said phase 1 is up so that's what sh crypto isakmp will show and phase 2 is up for each subnet, I can see decaps and encaps on both ends.

In regards to NAT - I have NONAT's configured on the ASA and do not have NAT configured on the 3560 at all.

A colleague has mentioned that it could be a platform limitation which is what I suspected, I think the reason that I can configure the tunnel and it comes up is becasuse the platform  does support ipsec for management-plane traffic - this would explain why I can get to the switches SVI's and nothing else.

I will update the post once I have tested using something else.

CreatePlease to create content