Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC tunnel up - traffic not passing. TTL Expired on one side.

Soho office:

Site a, ASA 5505

10.29.0.xx/24

Main office:

Site b, ASA 5540

10.75.0.xx/24

Tunnel establishes - phase one and two look good.  Packet tracer completes successfully from both sides.  A client at the soho site can send pings to 10.75.0.xx but recieves no response.  I can see the build and teardown on the firewall at the soho side, but I'm not getting a response.  When I kill the tunnel, sending a ping will reestablish it from the soho side.

From the main office side, pings sent to 10.29.0.xx return: "TTL Expired in Transit".  A traceroute shows the packet looping in the firewall.  The ACLs look good, the crypto maps look good, and there are no explicit routes pointing elsewhere.  If I drop the tunnel, sending pings from the main office side will not rebuild the tunnel.

Any idea what I'm missing here or what direction to head next?

-JP

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

IPSEC tunnel up - traffic not passing. TTL Expired on one side.

Post configs for review

3 REPLIES

IPSEC tunnel up - traffic not passing. TTL Expired on one side.

Post configs for review

New Member

IPSEC tunnel up - traffic not passing. TTL Expired on one side.

RESOLVED

The issue was in fact, a routing loop.

The routes applied on the central office side pointed ALL internal traffic back towards the interior network.  An explicit route pointing 10.29.xx.xx traffic out resolved the issue.

New Member

IPSEC tunnel up - traffic not passing. TTL Expired on one side.

what exactly did you do to resolve the problem?  I'm also getting this error message. I used route-map and set ip default next-hop.  appreciate your soonest response.

5356
Views
0
Helpful
3
Replies
CreatePlease login to create content