Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
0
Helpful
3
Replies

IPSec VPN Troubleshooting

JohnTylerPearce
Level 7
Level 7

‎11-15-2013 05:40 AM - edited ‎02-21-2020 07:19 PM

So, I have a site-to-site tunnel, and I'm trying to verify end-to-end connectivity.

On the Initiating Side - SiteA, I can see this traffic hitting the internal interface on the local router, and I can see traffic hitting the Crypto ACL,

on the same router. So I'm assuming traffic from that specific host going to the other side's host on a specific port is making it through. On

Site B, the receiver, I can't see outbound traffic going out the LAN for some reason, where the other several tunnels on this router, I can see

traffic leaving outbound on the internal interface on Site B.

Can I run a debug, or anything, that could show traffc from Host A to Host B on SiteB router, with the specific port, and not just source/destination network?                  

Labels:
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎11-15-2013 06:06 AM

Which devices are used to terminate the VPNs at both ends?  If these are routers and you are seeing the traffic go to the LAN on one side but not the other, then it might be that the crypto ACLs are misconfigured at one side or the other...or both for that matter.  If there are ASAs that are terminating the VPN then it could either be the crypto ACLs or a misconfigured NAT exempt statement.

Are you sure that the tunnel is up?

show crypto isakmp sa

Please rate any helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

JohnTylerPearce
Level 7
Level 7
In response to Marius Gunnerud

‎11-15-2013 06:18 AM

Yeah the tunnel is up, this has been verified. Traffic is currently passing through this tunnel without any problems, except for one port. I can see traffic coming from HostA to Hostb on UDP port 10000 match on an ACL I have on the internal interface, as well as the same traffic from HostA to HostB matching on the Crypto ACL with destination port UDP 10000.

But on the reciver, I have an ACL, that is looking for matching traffic from HostA to HostB on destination port UDP, outbound on the internal interface, and no matches can be seen. Although on several other Tunnels that are terminated on the HostB router, I can see matched perfectly fine.

It's really rather strange, I have verified no ACL issues either...

0 Helpful

Marius Gunnerud
VIP
VIP
In response to JohnTylerPearce

‎11-15-2013 06:22 AM

would you be able to post a full sanitized configuration of both routers?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents