I have a cisco 1721 connected to a cable modem, and forming a site to site VPN tunnel with an aSA 5505. I was using EZVPN. A couple days ago, traffic stopped passing through the tunnel, although the tunnel was up. I tried setting it up as a sraight lan to lan, and still the same problem. I even changed where it terminated, from an ASA to a concentrator on a different ISP, and the exact same result: tunnel shows up up, the concentrator shows bytes in both directions, no errors, but just no traffic. I have tried several different encr/hashing methods and no change. The ASA and 3k concentrator are working, as I can connect using the client w/o an issue. Ther wierd thing is the 1721 is not using a hardware crypto card, so its ALL in software, and other than the VPN problem it is passing traffic normally. I also doubt the ISP just randomly started blocking VPN traffic, espeically since the tunnel comes up. Anyone seen this before or have an idea as to what the problem could be, or is it just likely the 1721's crypto engine is bad/corrupt? It is running 12.4 advanced security.
It would be useful to get some outputs from the asa and the router, like the show crypto isakmp sa detail and the show crypto ipsec sa detail from each, also remember that the fact that the vpn is establish does not really mean all is fine, ISAKMP establishment works on udp 500 and Encrypted traffic flows over ESP protocol which is a portless protocol. In the case where nat-t is enabled then you can be certain that once phase 1 is up phase 2 should pass as both use udp 4500 afer nat is detected.
I think the problem is at the head end, with the cable provider's netgear/comcast router. The funny thing is, the tunnel shows up, and the firewall even sees the icmp form/teardown, but no traffic is actuallyu flowing. I tested the site to site from another location and got the same result. comcast is replacing the gateway with an SMC one.
I set up a test L2L vpn on my backup connection(ATT static IP dsl), using aPIX 501 and got the same result: vpn tunnel shows up on phase one and two, but cannot ping or communicate, even though both sides are showing some info on the connections(connection establishments/teardowns, etc, byte counts, etc). However, I brought the PIX inside my comcast network, using one of my spare public IPs, and everything worked perfectly. That leads me to believe that the problem is ISP or ISP equipment related.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...