Cisco Support Community
Community Member

LAN-to-LAN VPN Trouble

Hello -

I am having difficulty passing traffic over a VPN tunnel to a remote office. This is newly engineered, but can't figure out what the problem can be. I am calling out to all you experts to hopefully provide some much needed help. Thanks in advance.

VPN Info:

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key {key} address x.x.x.x



crypto ipsec transform-set TRIBDDBATL esp-3des esp-md5-hmac


crypto map DDBATL 10 ipsec-isakmp

set peer x.x.x.x

set transform-set TRIBDDBATL

match address 100


DDB-ATL-Router#sh access-list 100

Extended IP access list 100

10 permit ip (1008 matches)

20 permit ip (13 matches)

30 permit ip (15 matches)

40 permit ip

50 permit ip

60 permit ip

70 permit ip (6 matches)

80 permit ip

90 permit ip

100 permit ip

DDB-ATL-Router#sh run int tun 1

Building configuration...

Current configuration : 169 bytes


interface Tunnel1

description VPN Tunnel 2 to DDB Chicago

ip unnumbered Loopback0

tunnel source Loopback0

tunnel destination x.x.x.x

crypto map DDBATL


SA info

DDB-ATL-Router#sh crypto isakmp sa

dst src state conn-id slot status

x.x.x.x x.x.x.x QM_IDLE 225 0 ACTIVE

DDB-ATL-Router#sh crypto ipsec sa det

interface: Tunnel1

Crypto map tag: DDBATL, local addr x.x.x.x

protected vrf: (none)

local ident (addr/mask/prot/port): (

remote ident (addr/mask/prot/port): (

current_peer x.x.x.x port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#pkts no sa (send) 1, #pkts invalid sa (rcv) 0

#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

#pkts invalid prot (recv) 0, #pkts verify failed: 0

#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

##pkts replay failed (rcv): 0

#pkts internal err (send): 0, #pkts internal err (recv) 0

From what I see, at this is at both ends, it looks like IKE has passed and the tunnel is up, both end are tx encrypted traffic, but the other end is not rxing. Any thoughts?

Community Member

Re: LAN-to-LAN VPN Trouble

i could really use just a full sh run off your router and post it. and what inside ip's are these 2 network using

also do a

sh crypto isakmp sa


sh crypto ipsec sa

and post the output

Community Member

Re: LAN-to-LAN VPN Trouble

Thanks for looking at things...

Please refernce the log file for the necessary info. Thanks again.

Community Member

Re: LAN-to-LAN VPN Trouble

Well, I have it working now, but why this makes it work is beyond me. I applied access-list to for ingress and egress traffic on my ethernet side to capture traffic. This didn't give me any indication what was going on, so to see real-time traffic, I enter log at the end of each statement. When there is an access-list with logging turned on per statement, only then do I have L7 connectivity. Does anyone know the explanation for this?

CreatePlease to create content