Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN tunnel looks up but no ping

Hi,

I had a pix that had two working tunnels going to one 5510 and one 5520. Today the VPN tunnel to our 5520 stopped working but if I do sh cry isa sa both tunnels have QM_IDLE as the state. (both ends) I tried to debug crypto isakmp 255 but all I get is PEER_REAPER_TIMER and no other output on the pix side.

I'm looking for commands or something to try that could help ...

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN tunnel looks up but no ping

This ACL line overlaps with the actual crypto ACL "Outside_cryptomap_20"

access-list Outside_cryptomap_10 extended permit ip datacenter-inside-network 255.255.254.0 hq-office-network 255.255.255.0

Please kindly remove the above line, then clear all tunnels so it renegotiates the correct SA.

20 REPLIES
Cisco Employee

VPN tunnel looks up but no ping

Please share the output of "show cry ipsec sa" from both ends.

New Member

VPN tunnel looks up but no ping

#### 5520 ####

    Crypto map tag: Outside_map, seq num: 20, local addr: 66.xx.xx.134

      access-list Outside_cryptomap_20 permit ip 10.21.30.0 255.255.254.0 10.3.185.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.21.30.0/255.255.254.0/0/0)

      remote ident (addr/mask/prot/port): (10.3.185.0/255.255.255.0/0/0)

      current_peer: 66.xxx.xx.18

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 5739, #pkts decrypt: 5739, #pkts verify: 5739

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 66.xx.xx.134, remote crypto endpt.: 66.xxx.xx.18

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 27A6B8F0

    inbound esp sas:

      spi: 0xCAD7D446 (3403142214)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 16035840, crypto-map: Outside_map

         sa timing: remaining key lifetime (kB/sec): (4373597/25842)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x27A6B8F0 (665237744)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 16035840, crypto-map: Outside_map

         sa timing: remaining key lifetime (kB/sec): (4374000/25832)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

#### pix ####

   local  ident (addr/mask/prot/port): (office_range_inside/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.21.30.0/255.255.254.0/0/0)

   current_peer: 66.xx.xx.134:500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 7665, #pkts encrypt: 7665, #pkts digest 7665

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 794, #recv errors 0

     local crypto endpt.: 66.xxx.xx.18, remote crypto endpt.: 66.xx.xx.134

     path mtu 1500, ipsec overhead 56, media mtu 1500

     current outbound spi: cad7d446

     inbound esp sas:

      spi: 0x27a6b8f0(665237744)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 3, crypto map: to_colo

        sa timing: remaining key lifetime (k/sec): (4608000/24961)

        IV size: 8 bytes

        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xcad7d446(3403142214)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        slot: 0, conn id: 4, crypto map: to_colo

        sa timing: remaining key lifetime (k/sec): (4607515/24954)

        IV size: 8 bytes

        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

   local  ident (addr/mask/prot/port): (office_range_inside/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.4.1.0/255.255.255.0/0/0)

   current_peer: 66.xx.xx.134:0

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 66.xxx.xx.18, remote crypto endpt.: 66.xx.xx.134

     path mtu 1500, ipsec overhead 0, media mtu 1500

     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Cisco Employee

VPN tunnel looks up but no ping

Base on the above output, encaps increases on the PIX ends, but no decaps, and the opposite on ASA ends, ie: decaps increase and encaps is zero.

That means traffic is being sent from PIX towards the ASA end, however, either the traffic does not reach the

10.21.30.0/255.255.254.0 network, or that network is not replying or being blocked somewhere, or some routing error hence there is no encaps on the ASA end.

New Member

VPN tunnel looks up but no ping

What could cuse an issue like this since  this was working yesterday and just magaically stopped working today. I can still use my VPN client to access the 5520 connecting to the same network as the site-2-site.

If there is any information from the 5520 that would be helpful I can get that...

Cisco Employee

VPN tunnel looks up but no ping

Well, that is the useful information from the output of "show cry ipsec sa" showing exactly where it is failing.

You would need to further investigate back towards your LAN network and see where it's failing.

If there is no changes on the ASA, there might be changes at your other network devices.

If you can still use your VPN client, then possibly it doesn't know how to route back towards the remote LAN subnet (

10.3.185.0/24).

New Member

VPN tunnel looks up but no ping

I'm lost right now trying to find the solution for this problem... What other information would you need to troubleshoot this issue? Do you know of anyone that might be interested in looking deeper into this issue? (consulting)

New Member

VPN tunnel looks up but no ping

if I do icmp trace and ping from the inside of our pix side to the inside if the asa side I see the ping return but it never gets encapsulated...

ICMP echo request from outside:10.3.185.106 to inside:10.21.31.56 ID=21782 seq=12 len=56

ICMP echo reply from inside:10.21.31.56 to outside:10.3.185.106 ID=21782 seq=12 len=56

Looks like there is a bug in 8.2.1 that I think I'm hitting.

CSCtb53186 Duplicate ASP crypto table entry causes firewall to not   encrypt traffic

I found that a reboot will clear this up but is there another way?

Cisco Employee

VPN tunnel looks up but no ping

Do you mean you did a reload and that fixed the issue?

If that is the case, I would suggest upgrading to the latest version of 8.2.x.

New Member

Re: VPN tunnel looks up but no ping

Hey Freddy, did a reboot fix it for you mate? which code do you run? I seem to have a similar issue, but mine is realted to the ASA 5540 running 8.4(2) which is not natting my tunnel traffic even though my nat statements are perfect and the packet tracer output shows everything to be okay!

W E I R D!

*having sleepless nights*

New Member

Re: VPN tunnel looks up but no ping

I will reload tonight. I'm using a 5520 8.2(1) looking to upgrade to 8.2(5). Is that easy btw? I have 2 5520 in active/active..

Sent from Cisco Technical Support iPad App

Cisco Employee

Re: VPN tunnel looks up but no ping

Yup, pretty easy. You can pre-upload the software to both the ASA.

Then when you are ready to reload it, just change the "boot system" to the latest software, save the config, and reload.

Here is the steps for your reference for Active/Active failover:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/admin_swconfig.html#wp1057555

New Member

Re: VPN tunnel looks up but no ping

let us know how you go mate. I am very reluctant to bounce my asa as it is in a multitenant environment and being accessed 24/7..a downtime would be $$$.. so much for managing and setting up a whole asa all by myself. i wish I had a team to discuss my problems with. lol

New Member

Re: VPN tunnel looks up but no ping

Hi Guys,

This weekend I reloaded both active and standby asa but I'm still having the same issue with the one broken tunnel.

I tried re-creating the tunnel and that did not work I have used two pixes on the other end bit they both gives the same issue... Full connection BUT one side does encaps and the other decaps only!

My next step is to get 8.2(5) and do an upgrade this week.

I have other L2L tunnels working + I have about 10 User VPN connections going to this same asa. This is just crazy, everything looks good too me...

Cisco Employee

Re: VPN tunnel looks up but no ping

It doesn't quite sound like an ASA issue if other tunnels are working and vpn client is also working, plus you have already reloaded the unit as well.

Please check that you have the correct route back for this particular remote LAN network.

This is exactly what Mikull experience on his network, and it ended up with switch failure causes incorrect routing, and traffic is not being routed back towards the ASA for traffic destined to a particular remote LAN network.

New Member

Re: VPN tunnel looks up but no ping

I think you might be correct... Its not fixed yet but this is what I have done so far...

- rebooted asa5020

- upgraded asa5020 to 8.2.5

- upgraded pix to asa5005

After all these changes everything came back up but I'm still getting encaps/decaps issues on the same tunnel which is now 5005 <--> 5020.

I think I'll have some time to do more tracing on for routing issues today...

(btw I didnt get the 5005 for this issue that was a upgrade that was needed... )

New Member

Re: VPN tunnel looks up but no ping

asa5005-inside: 10.3.85.0

asa5020-inside: 10.21.31.0

When I do a debug icmp trace on both asa I get this:

From asa5020-inside:

asa5020: ICMP echo request from inside:10.21.31.103 to outside:10.3.185.200 ID=21447 seq=0 len=56

asa5005: nothing

From asa5005-inside:

asa5005: ICMP echo request from inside:10.3.185.106 to outside:10.21.31.56 ID=12206 seq=0 len=56

asa5020: ICMP echo request from outside:10.3.185.106 to inside:10.21.31.56 ID=12209 seq=3 len=56

asa5020: ICMP echo reply from inside:10.21.31.56 to outside:10.3.185.106 ID=12209 seq=3 len=56

so I guess there is something in my asa5020 config that is not routing the asa5005-inside network through vpn...

Cisco Employee

Re: VPN tunnel looks up but no ping

Do you mind sharing config from both ends? we might be able to spot something

NAT exemption perhaps?

New Member

Re: VPN tunnel looks up but no ping

ASA 5520 Side:

hostname asatp

domain-name mycorp.com

names

name 10.3.185.0 hq-office-network

name 64.xx.xx.227 company-smpp-gw

name 192.168.200.0 datacenter2-inside-network

name 172.16.1.0 datacenter2-dmz-network

name 10.21.30.0 datacenter-inside-network

name 10.4.1.0 datacenter-vpn-network

dns-guard

!

interface GigabitEthernet0/0

speed 1000

duplex full

nameif outside

security-level 0

ip address 66.xx.xx.134 255.255.255.192 standby 66.xx.xx.133

!

interface GigabitEthernet0/1

speed 1000

duplex full

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

speed 1000

duplex full

nameif inside

security-level 100

ip address 10.21.31.254 255.255.254.0 standby 10.21.31.253

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

speed 1000

duplex full

!

interface Management0/0

nameif mgmt

security-level 100

ip address 10.21.99.4 255.255.255.0 standby 10.21.99.5

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring 4 Sun Mar 2:00 2 Sun Nov 2:00

dns domain-lookup inside

dns server-group DefaultDNS

name-server 10.21.31.20

name-server 192.168.200.16

name-server 4.2.2.1

domain-name mycorp.com

same-security-traffic permit intra-interface

object-group network webservers

network-object host 66.xx.xx.149

network-object host 66.xx.xx.155

network-object host 66.xx.xx.156

network-object host 66.xx.xx.157

network-object host 66.xx.xx.158

network-object host 66.xx.xx.159

network-object host 66.xx.xx.146

network-object host 66.xx.xx.160

network-object host 66.xx.xx.143

network-object host 66.xx.xx.148

network-object host 66.xx.xx.152

object-group service DM_INLINE_TCP_1 tcp

port-object eq www

port-object eq https

object-group service DM_INLINE_TCP_2 tcp

port-object eq www

port-object eq https

access-list main_acl extended permit tcp host 74.xx.y.148 host 66.xx.xx.139 eq ssh inactive

access-list main_acl extended permit udp host 74.xx.x.74 any

access-list main_acl extended permit tcp host 74.xx.x.77 host 66.xx.xx.139 eq ssh inactive

access-list main_acl extended permit tcp host 74.xx.x.77 host 66.xx.xx.140 eq ssh inactive

access-list main_acl extended permit tcp host 74.xx.y.148 host 66.xx.xx.140 eq ssh inactive

access-list main_acl extended permit tcp 63.yyy.yy.0 255.255.255.248 host 66.xx.xx.139 eq ssh inactive

access-list main_acl extended permit tcp 63.yyy.yy.0 255.255.255.248 host 66.xx.xx.140 eq ssh inactive

access-list main_acl extended permit tcp any host 66.xx.xx.139 eq ssh inactive

access-list main_acl extended permit esp any host 66.xx.xx.134

access-list main_acl extended permit udp any host 66.xx.xx.134 eq isakmp

access-list main_acl extended permit udp any host 66.xx.xx.134 eq 4500

access-list main_acl extended permit tcp any host 66.xx.xx.134 eq 4500

access-list main_acl extended permit tcp any host 66.xx.xx.134 eq https

access-list main_acl extended permit tcp any host 66.xx.xx.134 eq www

access-list main_acl extended permit tcp host 74.10.37.114 host 66.xx.xx.139 eq ssh inactive

access-list main_acl extended permit tcp any object-group webservers eq www

access-list main_acl extended permit tcp any object-group webservers eq https

access-list main_acl extended permit icmp any any

access-list main_acl extended permit icmp any any echo

access-list main_acl extended permit icmp any any echo-reply

access-list main_acl extended permit icmp any any time-exceeded

access-list main_acl extended permit tcp any host 66.xx.xx.155 eq www

access-list main_acl extended permit tcp any host 66.xx.xx.155 object-group DM_INLINE_TCP_1

access-list main_acl extended permit tcp any host 66.xx.xx.156 object-group DM_INLINE_TCP_2

access-list main_acl extended permit tcp any host 66.xx.xx.153 eq smtp

access-list Outside_cryptomap_20 extended permit ip datacenter-inside-network 255.255.254.0 hq-office-network 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip datacenter-inside-network 255.255.254.0 datacenter2-inside-network 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip datacenter-inside-network 255.255.254.0 10.1.1.0 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip datacenter-inside-network 255.255.254.0 10.2.1.0 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip datacenter-inside-network 255.255.254.0 datacenter2-dmz-network 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip 10.21.99.0 255.255.255.0 datacenter2-inside-network 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip 10.21.99.0 255.255.255.0 10.2.1.0 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip 10.21.99.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip 10.21.99.0 255.255.255.0 datacenter2-dmz-network 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip datacenter-vpn-network 255.255.255.0 datacenter2-inside-network 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip datacenter-vpn-network 255.255.255.0 datacenter2-dmz-network 255.255.255.0

access-list Outside_cryptomap_10 extended permit ip datacenter-inside-network 255.255.254.0 hq-office-network 255.255.255.0

access-list nonat10 extended permit ip datacenter-inside-network 255.255.254.0 datacenter2-inside-network 255.255.255.0

access-list nonat10 extended permit ip datacenter-inside-network 255.255.254.0 10.1.1.0 255.255.255.0

access-list nonat10 extended permit ip datacenter-inside-network 255.255.254.0 10.2.1.0 255.255.255.0

access-list nonat10 extended permit ip datacenter-inside-network 255.255.254.0 hq-office-network 255.255.255.0

access-list nonat10 extended permit ip datacenter-inside-network 255.255.254.0 datacenter2-dmz-network 255.255.255.0

access-list nonat10 extended permit ip datacenter-inside-network 255.255.254.0 datacenter-vpn-network 255.255.255.0

access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 datacenter2-inside-network 255.255.255.0

access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 10.2.1.0 255.255.255.0

access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 hq-office-network 255.255.255.0

access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 datacenter2-dmz-network 255.255.255.0

access-list nonat10 extended permit ip 10.21.99.0 255.255.255.0 datacenter-vpn-network 255.255.255.0

access-list nonat10 extended permit ip datacenter-vpn-network 255.255.255.0 datacenter2-inside-network 255.255.255.0

access-list nonat10 extended permit ip datacenter-vpn-network 255.255.255.0 10.2.1.0 255.255.255.0

access-list nonat10 extended permit ip datacenter-vpn-network 255.255.255.0 10.1.1.0 255.255.255.0

access-list nonat10 extended permit ip datacenter-vpn-network 255.255.255.0 hq-office-network 255.255.255.0

access-list nonat10 extended permit ip datacenter-vpn-network 255.255.255.0 datacenter2-dmz-network 255.255.255.0

access-list nonat10 extended permit ip datacenter-vpn-network 255.255.255.0 datacenter-inside-network 255.255.254.0

access-list nonat10 extended permit ip datacenter-vpn-network 255.255.255.0 10.21.99.0 255.255.255.0

access-list mycorptp_splitacl standard permit datacenter2-inside-network 255.255.255.0

access-list mycorptp_splitacl standard permit hq-office-network 255.255.255.0

access-list mycorptp_splitacl standard permit 10.1.1.0 255.255.255.0

access-list mycorptp_splitacl standard permit datacenter-inside-network 255.255.254.0

access-list mycorptp_splitacl standard permit 10.21.99.0 255.255.255.0

access-list mycorptp_splitacl standard permit datacenter-vpn-network 255.255.255.0

access-list mycorptp_splitacl standard permit datacenter2-dmz-network 255.255.255.0

access-list mycorptp_splitacl standard permit host company-smpp-gw

access-list mgmt-in extended permit ip 10.0.0.0 255.0.0.0 any

access-list mgmt-in extended permit tcp 10.0.0.0 255.0.0.0 10.21.99.0 255.255.255.0

access-list policy-nat extended permit ip datacenter-inside-network 255.255.254.0 host company-smpp-gw

access-list policy-nat extended permit ip 66.xx.xx.128 255.255.255.192 host company-smpp-gw

access-list Outside_cryptomap_30 extended permit ip 66.xx.xx.128 255.255.255.192 host company-smpp-gw inactive

access-list Outside_cryptomap_30 extended permit ip datacenter-inside-network 255.255.254.0 host company-smpp-gw

pager lines 48

logging enable

logging timestamp

logging buffer-size 16000

logging buffered informational

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu mgmt 1500

ip local pool ippool 10.4.1.1-10.4.1.100 mask 255.255.255.0

failover

failover lan unit primary

failover lan interface state GigabitEthernet0/3

failover polltime unit 5 holdtime 15

failover polltime interface 6 holdtime 30

failover interface-policy 50%

failover link state GigabitEthernet0/3

failover interface ip state 192.168.99.1 255.255.255.252 standby 192.168.99.2

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-623.bin

no asdm history enable

arp timeout 14400

global (outside) 1 66.xx.xx.135 netmask 255.255.255.192

nat (inside) 0 access-list nonat10

nat (inside) 1 0.0.0.0 0.0.0.0

nat (mgmt) 0 access-list nonat10

nat (mgmt) 1 0.0.0.0 0.0.0.0

static (inside,outside) 66.xx.xx.139 10.21.31.111 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.149 10.21.30.64 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.155 10.21.31.101 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.156 10.21.31.202 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.157 10.21.31.204 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.158 10.21.31.205 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.159 10.21.31.200 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.146 10.21.30.62 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.160 10.21.31.203 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.143 10.21.31.201 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.148 10.21.31.207 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.152 10.21.31.206 netmask 255.255.255.255

static (inside,outside) 66.xx.xx.153 10.21.31.67 netmask 255.255.255.255

access-group main_acl in interface outside

access-group mgmt-in in interface mgmt

route outside 0.0.0.0 0.0.0.0 66.xx.xx.129 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

aaa authentication telnet console LOCAL

aaa authorization command LOCAL

http server enable

http 10.21.31.0 255.255.255.0 inside

http 10.0.0.0 255.0.0.0 inside

http 10.21.31.0 255.255.255.0 mgmt

http datacenter-vpn-network 255.255.255.0 inside

http datacenter-vpn-network 255.255.255.0 mgmt

http authentication-certificate mgmt

http redirect outside 80

snmp-server host inside 10.21.31.103 poll community *****

snmp-server contact it@mycorp.com

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

service resetoutside

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set company_TRANSFORM_SET esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 10 match address Outside_cryptomap_10

crypto map Outside_map 10 set pfs

crypto map Outside_map 10 set peer 74.xx.x.74

crypto map Outside_map 10 set transform-set ESP-3DES-MD5

crypto map Outside_map 20 match address Outside_cryptomap_20

crypto map Outside_map 20 set pfs

crypto map Outside_map 20 set peer 66.xxx.xx.18

crypto map Outside_map 20 set transform-set ESP-3DES-MD5

crypto map Outside_map 30 match address Outside_cryptomap_30

crypto map Outside_map 30 set peer 64.xx.xx.230

crypto map Outside_map 30 set transform-set company_TRANSFORM_SET

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface outside

crypto ca trustpoint ASATP

enrollment self

subject-name CN=ymtpasa.mycorp.com

crl configure

crypto ca certificate map ymtpcert 10

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

vpn-addr-assign local reuse-delay 10

telnet 10.21.31.0 255.255.255.0 inside

telnet 10.21.31.0 255.255.255.0 mgmt

telnet 10.21.99.0 255.255.255.0 mgmt

telnet timeout 5

ssh datacenter2-inside-network 255.255.255.0 outside

ssh 10.0.0.0 255.0.0.0 inside

ssh datacenter2-inside-network 255.255.255.0 inside

ssh timeout 60

ssh version 2

console timeout 0

management-access inside

dhcpd dns 10.21.31.20 192.168.200.16

dhcpd domain mycorp.com

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 10.21.31.254 source inside

ssl certificate-authentication interface mgmt port 443

webvpn

enable outside

svc enable

group-policy DfltGrpPolicy attributes

vpn-filter value mycorptp_splitacl

vpn-tunnel-protocol svc

group-policy companyGrpPolicy internal

group-policy companyGrpPolicy attributes

vpn-idle-timeout 30

vpn-filter value Outside_cryptomap_30

vpn-tunnel-protocol IPSec l2tp-ipsec

group-policy ymVpnGrpPolicy internal

group-policy ymVpnGrpPolicy attributes

dns-server value 10.21.31.20 192.168.200.16

vpn-idle-timeout 300

vpn-session-timeout none

vpn-tunnel-protocol IPSec svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value mycorptp_splitacl

default-domain value mycorp.com

address-pools value ippool

group-policy site2site internal

group-policy site2site attributes

vpn-filter value mycorptp_splitacl

vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group 74.xx.x.74 type ipsec-l2l

tunnel-group 74.xx.x.74 general-attributes

default-group-policy site2site

tunnel-group 74.xx.x.74 ipsec-attributes

pre-shared-key *****

tunnel-group 66.xxx.xx.18 type ipsec-l2l

tunnel-group 66.xxx.xx.18 general-attributes

default-group-policy site2site

tunnel-group 66.xxx.xx.18 ipsec-attributes

pre-shared-key *****

tunnel-group ymtpssl type remote-access

tunnel-group ymtpssl general-attributes

address-pool ippool

tunnel-group 64.xx.xx.230 type ipsec-l2l

tunnel-group 64.xx.xx.230 general-attributes

default-group-policy companyGrpPolicy

tunnel-group 64.xx.xx.230 ipsec-attributes

pre-shared-key *****

tunnel-group mycorp type remote-access

tunnel-group mycorp general-attributes

address-pool ippool

default-group-policy ymVpnGrpPolicy

tunnel-group mycorp ipsec-attributes

pre-shared-key *****

ASA 5005 side:

domain-name mycorp.com

names

name 192.168.200.0 datacenter2-inside-network

name 10.21.30.0 datacenter-inside-network

name 10.3.185.0 hq_office_inside

name 172.16.1.0 datacenter2-dmz-network

name 10.2.1.0 datacenter2-vpn-network

name 10.1.1.0 datacenter2-mgmt-network

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.3.185.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 66.xxx.xx.18 255.255.255.128

!

ftp mode passive

dns server-group DefaultDNS

domain-name mycorp.com

access-list outside_cryptomap_1 extended permit ip hq_office_inside 255.255.255.

access-list outside_cryptomap extended permit ip hq_office_inside 255.255.255.0 

access-list outside_cryptomap extended permit ip hq_office_inside 255.255.255.0 

access-list outside_cryptomap extended permit ip hq_office_inside 255.255.255.0 

access-list outside_cryptomap extended permit ip hq_office_inside 255.255.255.0 

access-list nonat extended permit ip hq_office_inside 255.255.255.0 datacenter2-insid

access-list nonat extended permit ip hq_office_inside 255.255.255.0 datacenter-

access-list mycorp_splitacl standard permit datacenter2-inside-network 255.255.255.0

access-list mycorp_splitacl standard permit hq_office_inside 255.255.255.0

access-list mycorp_splitacl standard permit datacenter-inside-network 255.255.

access-list mycorp_splitacl standard permit datacenter2-mgmt-network 255.255.255.0

access-list mycorp_splitacl standard permit datacenter2-vpn-network 255.255.255.0

access-list mycorp_splitacl standard permit 10.3.1.0 255.255.255.0

access-list mycorp_splitacl standard permit 10.4.1.0 255.255.255.0

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 66.xxx.xx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http server session-timeout 30

http hq_office_inside 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set pfs

crypto map outside_map0 1 set peer 74.xx.x.74

crypto map outside_map0 1 set transform-set ESP-DES-MD5 ESP-3DES-MD5

crypto map outside_map0 2 match address outside_cryptomap_1

crypto map outside_map0 2 set pfs

crypto map outside_map0 2 set peer 66.xx.xx.134

crypto map outside_map0 2 set transform-set ESP-DES-MD5 ESP-3DES-MD5

crypto map outside_map0 interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh hq_office_inside 255.255.255.0 inside

ssh timeout 5

ssh version 2

console timeout 0

dhcpd auto_config outside

!

dhcpd address 10.3.185.100-10.3.185.200 inside

dhcpd dns 4.2.2.2 10.21.31.20 interface inside

dhcpd domain mycorp.com interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy ymsite2site internal

group-policy ymsite2site attributes

vpn-filter value mycorp_splitacl

vpn-tunnel-protocol IPSec l2tp-ipsec

tunnel-group 66.xx.xx.134 type ipsec-l2l

tunnel-group 66.xx.xx.134 general-attributes

default-group-policy ymsite2site

tunnel-group 66.xx.xx.134 ipsec-attributes

pre-shared-key *****

tunnel-group 74.xx.x.74 type ipsec-l2l

tunnel-group 74.xx.x.74 general-attributes

default-group-policy ymsite2site

tunnel-group 74.xx.x.74 ipsec-attributes

pre-shared-key *****

Cisco Employee

Re: VPN tunnel looks up but no ping

This ACL line overlaps with the actual crypto ACL "Outside_cryptomap_20"

access-list Outside_cryptomap_10 extended permit ip datacenter-inside-network 255.255.254.0 hq-office-network 255.255.255.0

Please kindly remove the above line, then clear all tunnels so it renegotiates the correct SA.

New Member

Re: VPN tunnel looks up but no ping

Thank you SOO much Jennifer that was awsome! ...

Deleted that on line and clear and I was up and ready to go...

Now I have another question ut its somewhat unrelated to I'l start a new thread...

7276
Views
0
Helpful
20
Replies
CreatePlease to create content