Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPSec VPN tunnel works one way, can ping the other direction too

Hi Folks,

Ok so I'm going crazy here. I have a IPSec tunnel that is working in one direction.

Below is the router config from the side that can connect to the other  side perfectly. I believe the issue is with this router as while I was  waiting on delivery for the ASA I had an SRP527W sitting in it's place  and had exactly the same problem.

On one side I have a 887VA router and the other an ASA5505.

The network behind the 887VA can access the remote site perfectly, backup services are traversing the link as are web interfaces for applications. In the other direction I can ping hosts but cannot connect. What else is interesting is if from the remote site I attempt to connect to a particular device that performs a port redirect the remote site browser gets so far as being redirected to port 5000 but then hangs.

I am seeing some very generic packet drop debug notices on the 887va on the NAT-ACL access list but I think this is as it should be as it is dropping the tunnel traffic from the NAT'ing.

The config for the router is here, I will post the ASA config when I get to the other site shortly but I am convinced the issues is on this device, all the crypto configurations match.

I have looked at the MTU's on each side, the path MTU on both sides is 1492. The asa does say the media MTU is 1500 but I believe that is the ADSL link so shouldnt matter?

I even went so far as installing CCP and testing the VPN. It says the tunnel is up. It did state a failure:

A ping with data size of this VPN interface MTU size and 'Do  not Fragment' bit set to the other end VPN device is failing. This may  happen if there is a lesser MTU network which drops the 'Do not  fragment' packets.

with recommended action:

1)Contact your ISP/Administrator to resolve this issue.  2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.

I did 2 with no effect.

(Addresses etc have been changed to protect the innocent.)

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption


hostname XXXX






logging buffered 65535

logging console informational


no aaa new-model


memory-size iomem 10

clock timezone ESTime 10 0

crypto pki token default removal timeout 0




crypto pki certificate chain TP-self-signed-

certificate self-signed 01


ip source-route






ip cef

no ip bootp server

ip domain name

ip name-server 192.

ip name-server 192.

ip inspect name CBAC appleqtc

ip inspect name CBAC dns

ip inspect name CBAC esmtp

ip inspect name CBAC http

ip inspect name CBAC https

ip inspect name CBAC ftp

ip inspect name CBAC h323

ip inspect name CBAC isakmp

ip inspect name CBAC l2tp

ip inspect name CBAC icmp

ip inspect name CBAC imap

ip inspect name CBAC imaps

ip inspect name CBAC ftps

ip inspect name CBAC ntp

ip inspect name CBAC sip

ip inspect name CBAC sip-tls

ip inspect name CBAC ssh

ip inspect name CBAC tcp

ip inspect name CBAC udp

login block-for 300 attempts 4 within 60

login delay 7

login quiet-mode access-class OutMan

login on-failure log

no ipv6 cef



multilink bundle-name authenticated

license udi pid CISC




log config







controller VDSL 0

operating mode adsl2 annex A


ip ssh version 2



crypto isakmp policy 5

encr 3des

authentication pre-share

lifetime 28800


crypto isakmp policy 10

authentication pre-share

lifetime 28800

crypto isakmp key ISAKMPKEY address



crypto ipsec transform-set TRANSF esp-3des esp-sha-hmac


crypto map CRYMAP 101 ipsec-isakmp

set peer

set transform-set TRANSF

match address 101







interface Loopback0

no ip address


interface Ethernet0

no ip address


no fair-queue


interface ATM0

description --- Internode ADSL ----

no ip address

no ip route-cache

load-interval 30

no atm ilmi-keepalive


interface ATM0.1 point-to-point

no ip route-cache

pvc 8/35

  tx-ring-limit 3

  encapsulation aal5snap

  pppoe-client dial-pool-number 1



interface FastEthernet0

no ip address


interface FastEthernet1

no ip address


interface FastEthernet2

no ip address


interface FastEthernet3

no ip address


interface Vlan1

description Management Interface

ip address

ip mtu 1452

ip nat inside

ip virtual-reassembly in

no ip route-cache cef

ip tcp adjust-mss 1420


interface Dialer0

no ip address

no cdp enable


interface Dialer1

description -----INTERNODE ADSL------

mtu 1492

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp chap hostname

ppp chap password 7 05531F5A331F1C1E08

ppp ipcp dns request accept

no cdp enable

crypto map CRYMAP


router rip

version 2

redistribute static

network 10.0.1..0


ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server



ip dns server

ip nat inside source static tcp 10.0.1..222 3389 interface Dialer1 19770

ip nat inside source static tcp 10.0.1..69 22 interface Dialer1 19771

ip nat inside source static tcp 10.0.1..69 5000 interface Dialer1 5000

ip nat inside source static tcp 10.0.1..114 3389 interface Dialer1 31313

ip nat inside source static tcp 10.0.1..110 3389 interface Dialer1 19450

ip nat inside source list NAT-ACL interface Dialer1 overload

ip route Dialer1

ip route


ip access-list standard OutMan

permit any

ip access-list standard acINAT

ip access-list standard aclQueitMode


ip access-list standard aclQuietMode



ip access-list extended NAT-ACL

deny   ip

permit ip any

ip access-list extended aclNat

permit ip any


logging trap debugging

access-list 101 permit ip

access-list 103 permit tcp host host

dialer-list 1 protocol ip permit

no cdp run





route-map rmNatIn2Out permit 10

match ip address NAT-ACL





Everyone's tags (5)
Community Member

IPSec VPN tunnel works one way, can ping the other direction too

ASA configuration on the other side of tunnel.

ASA Version 8.2(5)


hostname ASA



name outside description outside interface

name central description central office


interface Ethernet0/0

switchport access vlan 2



interface Vlan1

nameif inside

security-level 100

ip address


interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group iiNet

ip address pppoe setroute


ftp mode passive

clock timezone EST 10

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS


dns server-group MainDNSList




dns-group MainDNSList

object-group network obj_any

object-group icmp-type ICMP-INBOUND

description Permit necessary inbound ICMP traffic

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

object-group service DS_TOR tcp-udp

description group of ports to the hub for TOR

port-object eq 29898

port-object eq 29899

port-object eq 29900

port-object eq 29901

port-object eq 29902

port-object eq 29903

port-object eq 29904

port-object eq 29905

port-object eq 29906

port-object eq 29907

port-object eq 29908

port-object eq 29909

port-object eq 29910

object-group service DM_INLINE_TCP_1 tcp

port-object eq 2222

port-object eq 29922

port-object eq 5000

port-object eq 5001

port-object eq 7000

port-object eq 873

port-object eq www

port-object eq 7001

group-object DS_TOR

object-group service DM_INLINE_SERVICE_1

service-object tcp eq 3074

service-object tcp eq 88

service-object tcp eq domain

service-object udp eq 3074

service-object udp eq domain

access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND

access-list INBOUND remark chiang access list

access-list INBOUND extended permit tcp any host outside object-group DM_INLINE_TCP_1

access-list INBOUND remark xbox access

access-list INBOUND extended permit object-group DM_INLINE_SERVICE_1 any host outside

access-list INBOUND extended permit ip central

access-list outside_1_cryptomap extended permit ip central

access-list inside_nat0_outbound extended permit ip central

access-list SecLanTraffic extended permit ip central

pager lines 24

logging enable

logging asdm informational

mtu inside 1492

mtu outside 1492

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400


global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

access-group INBOUND in interface outside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authorization exec authentication-server

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

auth-prompt prompt Yo you flute me?

auth-prompt accept in

auth-prompt reject out

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set nat-t-disable

crypto map outside_map 1 set reverse-route

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 28800

telnet timeout 2

ssh inside

ssh timeout 5

console timeout 0

management-access inside

vpdn group iiNet request dialout pppoe

vpdn group iiNet localname UNAME

vpdn group iiNet ppp authentication pap

vpdn username UNAME password ***** store-local

dhcpd auto_config outside


dhcpd address inside

dhcpd dns interface inside

dhcpd enable inside


threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200


username admin password Q8Mi1MQB4nIkEh1X encrypted privilege 15

tunnel-group REMOTEROUTERIP type ipsec-l2l

tunnel-group REMOTEROUTERIP ipsec-attributes

pre-shared-key *****


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options


service-policy global_policy global

CreatePlease to create content