Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

IPSec VPN Troubleshooting

So, I have a site-to-site tunnel, and I'm trying to verify end-to-end connectivity.

On the Initiating Side - SiteA, I can see this traffic hitting the internal interface on the local router, and I can see traffic hitting the Crypto ACL,

on the same router. So I'm assuming traffic from that specific host going to the other side's host on a specific port is making it through. On

Site B, the receiver, I can't see outbound traffic going out the LAN for some reason, where the other several tunnels on this router, I can see

traffic leaving outbound on the internal interface on Site B.

Can I run a debug, or anything, that could show traffc from Host A to Host B on SiteB router, with the specific port, and not just source/destination network?                  

3 REPLIES

IPSec VPN Troubleshooting

Which devices are used to terminate the VPNs at both ends?  If these are routers and you are seeing the traffic go to the LAN on one side but not the other, then it might be that the crypto ACLs are misconfigured at one side or the other...or both for that matter.  If there are ASAs that are terminating the VPN then it could either be the crypto ACLs or a misconfigured NAT exempt statement.

Are you sure that the tunnel is up?

show crypto isakmp sa

Please rate any helpful posts

--

Please remember to rate and select a correct answer

IPSec VPN Troubleshooting

Yeah the tunnel is up, this has been verified. Traffic is currently passing through this tunnel without any problems, except for one port. I can see traffic coming from HostA to Hostb on UDP port 10000 match on an ACL I have on the internal interface, as well as the same traffic from HostA to HostB matching on the Crypto ACL with destination port UDP 10000.

But on the reciver, I have an ACL, that is looking for matching traffic from HostA to HostB on destination port UDP, outbound on the internal interface, and no matches can be seen. Although on several other Tunnels that are terminated on the HostB router, I can see matched perfectly fine.

It's really rather strange, I have verified no ACL issues either...

IPSec VPN Troubleshooting

would you be able to post a full sanitized configuration of both routers?

--

Please remember to rate and select a correct answer
173
Views
0
Helpful
3
Replies
CreatePlease to create content