Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site VPN CAN'T REACH 1 OUT OF THREE NETWORKS

I have a S2S VPN configured, and I can't get to the 10.127.0.0 network. The 10.128.0.0, and 10.126.0.0 have full access. If I ping a 10.127.0.0 address on the outside interface I get replies, but a ping to the same address on the inside I get no replies. That led me to believe that the config on my 5505 shown below is missing something, but I can't find it. Any help is much appreciated. Config is attached.

Thank you

5 REPLIES
Hall of Fame Super Silver

Re: Site-to-Site VPN CAN'T REACH 1 OUT OF THREE NETWORKS

The configuration of your end appears OK. There could be a crypto map mismatch with your peer. There should be an IPSec security association (SA) for each network pair. e.g. your local 10.100.100.0/24 network (and host 1.1.1.1) to peer's 10.[126, 127, 128].0.0/16 networks.

Please check your VPN using "show crypto ipsec sa" to confirm that all your expected SAs are active.

New Member

Site-to-Site VPN CAN'T REACH 1 OUT OF THREE NETWORKS

Mr. Rhoads Thank you much for the reply.

Below I have a  show crypto ipsec from both peers. It looks like I'm missing some decaps, but I'm a little foggy on this command.

5505 Show

    Crypto map tag: vpnmap, seq num: 10, local addr: 1.1.1.1

      access-list crypto extended permit ip 10.254.100.0 255.255.255.0 10.128.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.128.0.0/255.255.0.0/0/0)
      current_peer: 2.2.2.2

      #pkts encaps: 4302, #pkts encrypt: 4302, #pkts digest: 4302
      #pkts decaps: 4337, #pkts decrypt: 4337, #pkts verify: 4337
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4302, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 3, #recv errors: 0

      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 3F8C19E8
      current inbound spi : 533A5FFA

    inbound esp sas:
      spi: 0x533A5FFA (1396334586)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 69632, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (3912972/27880)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x3F8C19E8 (1066146280)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 69632, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (3914469/27880)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: vpnmap, seq num: 10, local addr: 1.1.1.1

      access-list crypto extended permit ip 10.254.100.0 255.255.255.0 10.126.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.126.0.0/255.255.0.0/0/0)
      current_peer: 2.2.2.2

      #pkts encaps: 177, #pkts encrypt: 177, #pkts digest: 177
      #pkts decaps: 174, #pkts decrypt: 174, #pkts verify: 174
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 177, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: B36148A9
      current inbound spi : B6024AC4

    inbound esp sas:
      spi: 0xB6024AC4 (3053603524)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 69632, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (3914981/27901)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xB36148A9 (3009497257)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 69632, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (3914978/27900)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: vpnmap, seq num: 10, local addr: 1.1.1.1

      access-list crypto extended permit ip 10.254.100.0 255.255.255.0 10.127.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.127.0.0/255.255.0.0/0/0)
      current_peer: 2.2.2.2

      #pkts encaps: 428, #pkts encrypt: 428, #pkts digest: 428
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 428, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 0A4386BB
      current inbound spi : FC693EA2

    inbound esp sas:
      spi: 0xFC693EA2 (4234755746)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 69632, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (3915000/27905)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x0A4386BB (172197563)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 69632, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (3914974/27905)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: vpnmap, seq num: 10, local addr: 1.1.1.1

      access-list crypto extended permit ip host 1.1.1.1 10.128.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.128.0.0/255.255.0.0/0/0)
      current_peer: 2.2.2.2

      #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 1439C8E4
      current inbound spi : 0B212EC6

    inbound esp sas:
      spi: 0x0B212EC6 (186724038)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 69632, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (3915000/28001)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x1439C8E4 (339331300)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 69632, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (3914998/28001)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: vpnmap, seq num: 10, local addr: 1.1.1.1

      access-list crypto extended permit ip host 1.1.1.1 10.127.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.127.0.0/255.255.0.0/0/0)
      current_peer: 2.2.2.2

      #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: B5AE9ABC
      current inbound spi : 91A9B396

    inbound esp sas:
      spi: 0x91A9B396 (2443817878)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 69632, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (3915000/27997)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xB5AE9ABC (3048118972)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 69632, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (3914998/27997)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

5520 Show

access-list crypto extended permit ip 10.126.0.0 255.255.0.0 10.254.100.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.126.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)
      current_peer: 1.1.1.1

      #pkts encaps: 532, #pkts encrypt: 532, #pkts digest: 532
      #pkts decaps: 536, #pkts decrypt: 536, #pkts verify: 536
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 532, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: B6024AC4
      current inbound spi : B36148A9

    inbound esp sas:
      spi: 0xB36148A9 (3009497257)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4902912, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373979/28239)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xB6024AC4 (3053603524)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4902912, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373982/28239)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: outside_map, seq num: 10, local addr: 2.2.2.2

      access-list crypto extended permit ip 10.127.0.0 255.255.0.0 10.254.100.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.127.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)
      current_peer: 1.1.1.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1794, #pkts decrypt: 1794, #pkts verify: 1794
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: FC693EA2
      current inbound spi : 0A4386BB

    inbound esp sas:
      spi: 0x0A4386BB (172197563)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4902912, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373983/28237)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xFC693EA2 (4234755746)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4902912, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4374000/28229)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: outside_map, seq num: 10, local addr: 2.2.2.2

      access-list crypto extended permit ip 10.127.0.0 255.255.0.0 host 1.1.1.1
      local ident (addr/mask/prot/port): (10.127.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
      current_peer: 1.1.1.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 91A9B396
      current inbound spi : B5AE9ABC

    inbound esp sas:
      spi: 0xB5AE9ABC (3048118972)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4902912, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373998/28288)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000000F
    outbound esp sas:
      spi: 0x91A9B396 (2443817878)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4902912, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4374000/28288)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: outside_map, seq num: 10, local addr: 2.2.2.2

      access-list crypto extended permit ip 10.128.0.0 255.255.0.0 host 1.1.1.1
      local ident (addr/mask/prot/port): (10.128.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
      current_peer: 1.1.1.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 0B212EC6
      current inbound spi : 1439C8E4

    inbound esp sas:
      spi: 0x1439C8E4 (339331300)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4902912, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373998/28276)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000000F
    outbound esp sas:
      spi: 0x0B212EC6 (186724038)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4902912, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4374000/28276)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: outside_map, seq num: 10, local addr: 2.2.2.2

      access-list crypto extended permit ip 10.128.0.0 255.255.0.0 10.254.100.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.128.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)
      current_peer: 1.1.1.1

      #pkts encaps: 3894, #pkts encrypt: 3894, #pkts digest: 3894
      #pkts decaps: 5256, #pkts decrypt: 5256, #pkts verify: 5256
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3894, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 533A5FFA
      current inbound spi : 3F8C19E8

    inbound esp sas:
      spi: 0x3F8C19E8 (1066146280)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4902912, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373595/28142)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x533A5FFA (1396334586)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4902912, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4372216/28141)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.128.35.11/255.255.255.255/0/0)
      current_peer: 98.102.220.206, username: Netech
      dynamic allocated peer ip: 10.128.35.11

      #pkts encaps: 2874, #pkts encrypt: 2874, #pkts digest: 2874
      #pkts decaps: 2461, #pkts decrypt: 2461, #pkts verify: 2461
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2874, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2/4500, remote crypto endpt.: 98.102.220.206/60725
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 371A79B9
      current inbound spi : 7610E15D

    inbound esp sas:
      spi: 0x7610E15D (1980817757)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 4878336, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 21507
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x371A79B9 (924481977)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 4878336, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 21507
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Hall of Fame Super Silver

Site-to-Site VPN CAN'T REACH 1 OUT OF THREE NETWORKS

The command output is a bit daunting at first but when you look at it carefully there are a couple of key points to notice. Each crypto access list entry in use should form an IPsec SA indicating the local ident (network or host), remote ident, peer and, if traffic is flowing bidirectionally, both encaps and decaps.

If you find all the expected SAs but see only decaps (and no encaps - or vice versa) it typically means there's a downstream issue - i.e. a non-responsive or unreachable host. If you don't see the SAs form, it's usally a VPN configuration issue.

That said, the show command output does not seem to match up with the configurqation file you posted originally. Are you sure the original post was the current running-configuration?

For example, the show command above indicates an IPsec SA in the 5505 based on the configuration line:

  access-list crypto extended permit ip 10.254.100.0 255.255.255.0 10.128.0.0 255.255.0.0

That line does not appear in the original posted 5505 config. Plus I don't see any reference to the 10.100.100.0/24 in the original posted config.

New Member

Site-to-Site VPN CAN'T REACH 1 OUT OF THREE NETWORKS

sorry I guess I did not get the latest running config. 10.100 was changed to 10.254.so the show crypto ipsec sa's are more accurate....that is all that changed though so just replacing the running ip 10.100 with 10.254. I was trying not to make this confusing.

Hall of Fame Super Silver

Re: Site-to-Site VPN CAN'T REACH 1 OUT OF THREE NETWORKS

OK, so changing original references to 10.100 in favor of 10.254, gives us the following view of the relevant output of your "show crypto ipsec sa" at the 5520 end:

      access-list crypto extended permit ip 10.126.0.0 255.255.0.0 10.254.100.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.126.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)

      current_peer: 1.1.1.1

      #pkts encaps: 532, #pkts encrypt: 532, #pkts digest: 532

      #pkts decaps: 536, #pkts decrypt: 536, #pkts verify: 536

  Crypto map tag: outside_map, seq num: 10, local addr: 2.2.2.2

      access-list crypto extended permit ip 10.127.0.0 255.255.0.0 10.254.100.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.127.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)

      current_peer: 1.1.1.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 1794, #pkts decrypt: 1794, #pkts verify: 1794

  Crypto map tag: outside_map, seq num: 10, local addr: 2.2.2.2

      access-list crypto extended permit ip 10.128.0.0 255.255.0.0 10.254.100.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.128.0.0/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)

      current_peer: 1.1.1.1

      #pkts encaps: 3894, #pkts encrypt: 3894, #pkts digest: 3894

      #pkts decaps: 5256, #pkts decrypt: 5256, #pkts verify: 5256

Note the encaps for the SA 10.127.0.0/16 to 10.254.100.0/24 is zero while the decaps are non-zero. That's telling us that the 5505-5520 site-site VPN established an IPsec SA (i.e. your crypto maps and everything else matched OK), received and decrypted traffic bound for a host or hosts in the 10.127 network and, apparently, did not receive any replies. If it had, we would expect to see encaps showing return traffic from that represented by the decaps.

Assuming the host you are trying to ping in 10.127.0.0 is alive (You did confirm that, yes? I'd ping it from the ASA 5520 to verify.), I would suspect a problem in routing from the 10.127.0.0/16 and the 10.254.100.0/24 networks. I'd say the second most likely possibility is an access-list (on a router). Can you confirm and/or trace the route from 10.127.0.0's gateway confirming that is is setup up to go to the ASA?

535
Views
0
Helpful
5
Replies