02-19-2012 09:20 PM
Hi,
I'm setting up a L2L VPN Hub and Spoke. I have 3 sites (1 HUB and 2 SPOKES).
HUB-----------SPOKE1
|
|
|
SPOKE 2
HUB and SPOKE 1 is okay. My problem was the communication between HUB and SPOKE 2. PING failed on both directions. BTW, I am simulating this only in GNS3. :-). The configuration for HUB and SPOKE 1 are the same also for HUB and SPOKE 2. I kinda lost here. Can someone give me a light on this? Thank you in advance.
Here is my show isakmp sa and ipsec sa on HUB
ciscoasa# sh isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 210.24.x.x
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
ciscoasa# sh ipsec sa
interface: outside
Crypto map tag: VPN-MAP, seq num: 20, local addr: 58.145.x.x
access-list 30 permit ip 10.21.99.0 255.255.255.0 10.21.0.0 255.255.255.0 log
local ident (addr/mask/prot/port): (10.21.99.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.21.0.0/255.255.255.0/0/0)
current_peer: 210.24.x.x
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
show isakmp sa and show ipsec sa on SPOKE2
ciscoasa# show isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 58.145.x.x
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
ciscoasa# show ipsec sa
interface: outside
Crypto map tag: VPN-MAP, seq num: 10, local addr: 210.24.x.x
access-list 20 permit ip 10.21.0.0 255.255.255.0 10.21.99.0 255.255.255.0 log
local ident (addr/mask/prot/port): (10.21.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.21.99.0/255.255.255.0/0/0)
current_peer: 58.145.x.x
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
02-21-2012 02:08 PM
Hi..please see the example in the link :
02-22-2012 07:37 PM
From the output you provided, SPOKE2 is decrypting traffic received from the hub, but traffic going back to the hub doesn't appear to be getting encrypted and sent back across the tunnel. There are two reasons this could happen. The first reason is maybe a missing route, but since this is a spoke, I am guessing that there is a default route on the ASA pointing toward the ISP.
The second reason is that you haven't applied any NAT bypass rules for this specific traffic. Can you verify you have something such as the following:
--------------------------------------------------
access-list nonat permit ip 10.21.0.0 255.255.255.0 10.21.99.0 255.255.255.0
nat (inside) 0 access-list nonat
--------------------------------------------------
Matt
02-22-2012 07:50 PM
please copy your confi on the forum.
02-22-2012 11:03 PM
yes those lines are in my configurations. I think this is a bug in gns3. It's working now (on real ASA though).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide