Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Only 1 way traffic on a 2 way VPN

Hello, I am having trouble getting a Lan 2 Lan vpn to allow 2 way traffic. I am able to bring up the VPN and send/recieve from my end, the remote end can sometimes bring up the vpn, but can't seem to reach my inside network no matter what.

Any ideas where I may have misconfigured this?

I am using ASA5510

Remote site = sidewinder

10 REPLIES
Green

Re: Only 1 way traffic on a 2 way VPN

Check ASA config for

version 7.0,7.1

isakmp nat-traversal

version 7.2

crypto isakmp nat-traversal

New Member

Re: Only 1 way traffic on a 2 way VPN

I am running version 7.2 here is the output of the sh crypto command, the line you asked about is there.

ciscoasa# sh run crypto isakmp

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 20

Anything else? how do I tell if the problem is my end or thiers?

Green

Re: Only 1 way traffic on a 2 way VPN

Oh, lan 2 lan tunnel, sorry.

Can you post the ASA config minus passwords etc. Also is the topology just like this, no other firewalls etc.?

your inside -- ASA -- Internet -- Sidewinder -- their inside

New Member

Re: Only 1 way traffic on a 2 way VPN

Yes, that is the basic topology

My Inside--ASA--Internet--Sidewinder--Thier Inside

Here is a slimmed down output of my sh run. I tried to delete IP's and most of the stuff that doesn't pertain to this, if I removed too much please let me know, and I'll try to get it right.

Thanks

Rob

vpn-tunnel-protocol l2tp-ipsec

group-policy DefaultRAGroup_1 internal

group-policy DefaultRAGroup_1 attributes

dns-server value A.A.A.199

vpn-tunnel-protocol l2tp-ipsec

!

Deleted

!

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 140 set transform-set TRANS_ESP_3DES_SHA

crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA

crypto map outside_map 1 match address outside_cryptomap_8

crypto map outside_map 1 set peer REMOTE VPN PROBLEM IP C.C.C.193

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 1 set phase1-mode aggressive

!

Deleted

!

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

!

Deleted

!

isakmp keepalive disable

tunnel-group REMOTE VPN PROBLEM IP C.C.C.193 type ipsec-l2l

tunnel-group REMOTE VPN PROBLEM IP C.C.C.193 ipsec-attributes

pre-shared-key *

isakmp keepalive disable

!

Deleted

!

Green

Re: Only 1 way traffic on a 2 way VPN

Can you log on the ASA as they try to bring up the tunnel?

debug crypto isakmp

debug crypto ipsec

New Member

Re: Only 1 way traffic on a 2 way VPN

Hey, good idea, why do I always forget that command.

Ok, tried it, shows nothing, had it tear down and reset the tunnel twice. no debug entries.

Bummer.

Green

Re: Only 1 way traffic on a 2 way VPN

debug crypto isakmp 7

debug crypto ipsec 7

New Member

Re: Only 1 way traffic on a 2 way VPN

Heres another tidbit. I have been getting this error message whenever the remote side tries to set a connection

3 Jun 07 2007 13:21:39 713042 IKE Initiator unable to find policy: Intf outside, Src: MY-INSIDE-IP, Dst:THIER-INSIDE-IP

Hope this helps someone

Green

Re: Only 1 way traffic on a 2 way VPN

can you post your access-list outside_cryptomap_8?

New Member

Re: Only 1 way traffic on a 2 way VPN

Arg, er.. good news!

the remote site finally got it fixed. seems it WAS on thier end.

thanks for all your help

Rob

402
Views
0
Helpful
10
Replies