Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Tunnel up, But cannot ping across it??

i have a L2L VPN tunnel from a 5520 to a 5510 with Cisco 2941's on each end of the ASA's. I cannot ping from my local 2941 to the remote 2941. The tunnel doesnt block ICMP  and i have mutiple other sites configured with the same equipment working. i have setup a debug icmp trace and i can see on both ASA's when the ping is initiated it makes it to the ASA it is connected to but never gets across. Please help this is the last step in finishing my project....

Everyone's tags (3)
29 REPLIES
Community Member

Re: VPN Tunnel up, But cannot ping across it??

Is your traffic included in the NAT-0 ACL?

Community Member

Re: VPN Tunnel up, But cannot ping across it??

doesnt have one. the setup is the 5520 carries individual VPN's to multiple 5510's. there is a default access-list 100 extended permit ip any any. then i build access lists based on the cryptomaps to each individual 5510. i have the same exact configuration on other tunnels on the 5520 going to different 5510's with 2941's on the opposite side and it works fine. from what i can tell the configuration for this one is exactly the same yet no ping response. when i ping from my local 2941 to the local 5520 this is the icmp debug print

YPG-ASA5520-1(config)# ICMP echo request from inside:10.10.10.4 to outside:10.10.50.2 ID=40 seq=0 len=72
ICMP echo request from inside:10.10.10.4 to outside:10.10.50.2 ID=40 seq=1 len=72
ICMP echo request from inside:10.10.10.4 to outside:10.10.50.2 ID=40 seq=2 len=72
ICMP echo request from inside:10.10.10.4 to outside:10.10.50.2 ID=40 seq=3 len=72
ICMP echo request from inside:10.10.10.4 to outside:10.10.50.2 ID=40 seq=4 len=72

so it sees the request coming in and it shows it sending the request to the outside interface. but no respone. i get the same thing from the opposite end. so the 2941 to local ASA seems to be getting the request it just doesnt seem to be getting across the tunnel, or able to find its way back.

Re: VPN Tunnel up, But cannot ping across it??

Is it possible for you to post the configuration for both sides & interesting traffic definations ?

Manish

Community Member

Re: VPN Tunnel up, But cannot ping across it??

the one i am having a issue with is the outside_3_cryptomap going to peer 140.32.132.73. from the local side i have a 2941 with a 10.10.10.0 /24 address and on the remote end i have a 2941 with 10.10.50.0 /24 ip address. i should be able to ping from local side to remote sides  10.10.50.2 address but i cannot.

~~ LOCAL END !!

YPG-ASA5520-1# show run
: Saved
:
ASA Version 8.2(1)
!
hostname YPG-ASA5520-1
names
name 10.1.25.18 test
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 6.7.0.13 255.255.254.0
!
interface GigabitEthernet0/1
nameif internal
security-level 0
ip address 10.0.2.166 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list 100 extended permit ip any any
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.1.27.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.1.27.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.30.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.1.26.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.10.30.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.1.26.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.50.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1522
mtu internal 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 6.7.0.1 1
route inside 10.1.25.0 255.255.255.0 10.10.10.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.2.0 255.255.255.0 inside
http 10.0.2.0 255.255.255.0 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 140.32.167.58
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 140.32.171.2
crypto map outside_map 2 set transform-set ESP-DES-SHA

crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 140.32.132.73
crypto map outside_map 3 set transform-set ESP-DES-SHA

crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

tunnel-group 140.32.167.58 type ipsec-l2l
tunnel-group 140.32.167.58 ipsec-attributes
pre-shared-key *
tunnel-group 140.32.171.2 type ipsec-l2l
tunnel-group 140.32.171.2 ipsec-attributes
pre-shared-key *
tunnel-group 131.120.38.2 type ipsec-l2l
tunnel-group 131.120.38.2 ipsec-attributes
pre-shared-key *
tunnel-group 140.32.132.73 type ipsec-l2l
tunnel-group 140.32.132.73 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e1d9cd4c9ae0fbe643d031975c48cbd0
: end
YPG-ASA5520-1#

~~~ REMOTE END ~~~

NPS-ASA5510# show run
: Saved
:
ASA Version 8.2(1)
!
hostname NPS-ASA5510
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 140.32.132.73 255.255.255.224
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif internal
security-level 0
ip address 192.168.103.2 255.255.255.0
!
interface Ethernet0/3
nameif inside
security-level 100
ip address 10.10.50.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list 100 extended permit ip any any
access-list outside_1_cryptomap extended permit ip 140.32.132.0 255.255.255.0 6.7.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.40.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.50.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging console debugging
logging asdm informational
mtu outside 1500
mtu internal 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 140.32.132.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.103.0 255.255.255.0 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 10 match address outside_1_cryptomap
crypto map outside_map 10 set peer 6.7.0.13
crypto map outside_map 10 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

tunnel-group 6.7.0.13 type ipsec-l2l
tunnel-group 6.7.0.13 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a073c919957e60ffea64717b4e8e4097
: end

Community Member

Re: VPN Tunnel up, But cannot ping across it??

I would use packet tracer to troubleshoot this. Its much more accurate at finding the problem. You can simulate the traffic and watch what phase it phails on as it passes through the firewall. This will identify if it is a NAT problem or ACL typo or what ever.

I found a good little intro demo in case your not familiar with it:

http://www.cisco.com/E-Learning/bulk/public/celc/QLM_ASA_72_01_Final/course_skin.html

Community Member

Re: VPN Tunnel up, But cannot ping across it??

I'm thinking the problem is at the new remote site as the other remotes are all working.

This line stands out as being not correct.

access-list outside_1_cryptomap extended permit ip 140.32.132.0 255.255.255.0 6.7.0.0 255.255.255.0

Probably causing your FW to encrypt the traffic it needs to send ISAKMP in clear text with. Try removing that line.

Community Member

Re: VPN Tunnel up, But cannot ping across it??

ok i erased that line and also the one like it on the remote end. still no success. the 2941 on the

remote side has a default route of 10.10.50.1 which is the inside interface of the ASA. it seems like the ASA isnt routing the request to the 2941?

Community Member

Re: VPN Tunnel up, But cannot ping across it??

I only saw that line on the remote site. Are you saying it was configured on the hub router too?

Try using the packet tracer. That will tell us right off the bat where our problem lies.

Community Member

Re: VPN Tunnel up, But cannot ping across it??

ok i initiated the packet tracker, i have never done this before but here is how i set it up. for interface type i selected inside and then for source IP i put the IP of the 2941 from my local side. for the destination i put the IP of the 2941 on the remote side. i selected ICMP and hit start. when it was finished it said for the result " the packet is allowed" but when i initiate this ping from the actual 2941. it does not work.

for the remote ASA the ASDM is not setup so i do not know how to do the packet tracker from that side.

Community Member

Re: VPN Tunnel up, But cannot ping across it??

hmmm, strange...

The command from the CLI is: packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port detailed

Give that a shot for the other office.

ASA's and PIX are a bit buggy with VPN. Try reloading the remote firewall. I know this sounds stupid, but I have pulled my hair out before for hours and had a reload do the trick.

Community Member

Re: VPN Tunnel up, But cannot ping across it??

ok i will give it a shot, is it true that you cannot SSH or TELNET from a ASA to another router?

Community Member

Re: VPN Tunnel up, But cannot ping across it??

that is true. They also will not respond to pings on their outside

interfaces by default and block traceroutes.

Community Member

Re: VPN Tunnel up, But cannot ping across it??

no success with the reload. this really has me baffled. im going to have the techs on the remote side send me a printout of the 2941 configuration. i am pretty sure their default route is set to the ASA but i should double check.....

Community Member

Re: VPN Tunnel up, But cannot ping across it??

default routes on the 2941's are set. do not understand why i cannot ping across my VPN. anyone have any ideas or solutions to test?

Community Member

Re: VPN Tunnel up, But cannot ping across it??

Everything else looks fine. Two last ideas...

1. Maybe the PSK got mistyped. Remove and replace on both sides.

2. Reload on the hub site firewall?

Community Member

Re: VPN Tunnel up, But cannot ping across it??

if the PSK was wrong would then tunnel come up? because the tunnel is working. i will reset the key anyhow. i cannot currently reload the hub because it is carrying traffic for other sites, but on my next maintenance windown i will do this as well.

Re: VPN Tunnel up, But cannot ping across it??

post sh crypto ipsec sa from both sides. try to ping and see if the  decrypt or encrypt counters increases with the ping packets ?

also, post sh logging output ( parts showing 10.10.x.x network errors only )

debug crypto ipsec sa output with some traffic.

Thanks

Manish

Re: VPN Tunnel up, But cannot ping across it??

If the PSK was wrong the tunnel or SA will never establish.

Community Member

Re: VPN Tunnel up, But cannot ping across it??

when i initiated the ping i didnt see the packet counter going up. also the debug crypto ipsec didnt generate anything...

!! LOCAL 5520 !!

YPG-ASA5520-1# sh crypto ipsec sa peer 140.32.132.73
peer address: 140.32.132.73
    Crypto map tag: outside_map, seq num: 3, local addr: 6.7.0.13

      access-list outside_3_cryptomap permit ip 10.10.10.0 255.255.255.0 10.10.50.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.50.0/255.255.255.0/0/0)
      current_peer: 140.32.132.73

      #pkts encaps: 283, #pkts encrypt: 283, #pkts digest: 283
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 283, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 6.7.0.13, remote crypto endpt.: 140.32.132.73

      path mtu 1522, ipsec overhead 58, media mtu 1500
      current outbound spi: C0D8CF16

    inbound esp sas:
      spi: 0x8DB6DD98 (2377571736)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 15613952, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/27760)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xC0D8CF16 (3235434262)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 15613952, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914984/27759)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

YPG-ASA5520-1#
YPG-ASA5520-1#
YPG-ASA5520-1#
YPG-ASA5520-1#
YPG-ASA5520-1#

!! REMOTE 5510 !!

NPS-ASA5510# show crypto ipsec sa peer 6.7.0.13
peer address: 6.7.0.13
    Crypto map tag: outside_map, seq num: 10, local addr: 140.32.132.73

      access-list outside_1_cryptomap permit ip 10.10.50.0 255.255.255.0 10.10.10.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.50.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
      current_peer: 6.7.0.13

      #pkts encaps: 219, #pkts encrypt: 219, #pkts digest: 219
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 219, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 140.32.132.73, remote crypto endpt.: 6.7.0.13

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 8DB6DD98

    inbound esp sas:
      spi: 0xC0D8CF16 (3235434262)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 45056, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4374000/27701)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x8DB6DD98 (2377571736)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 45056, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373989/27700)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

NPS-ASA5510#

=============================================================================================================

!! SHOW LOGGING LOCAL 5520!!

YPG-ASA5520-1# show logging
Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: level debugging, 2643514 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 430134 messages logged
loads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-713236: IP = 140.32.132.73, IKE_DECODE RECEIVED Message (msgid=175ac1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
%ASA-7-715047: Group = 140.32.132.73, IP = 140.32.132.73, processing hash payload
%ASA-7-715047: Group = 140.32.132.73, IP = 140.32.132.73, processing notify payload
%ASA-7-715075: Group = 140.32.132.73, IP = 140.32.132.73, Received keep-alive of type DPD R-U-THERE-ACK (seq number 0x224afcec)
%ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
%ASA-7-714003: IP = 140.32.132.73, IKE Responder starting QM: msg id = f0915402
%ASA-7-713236: IP = 140.32.132.73, IKE_DECODE RECEIVED Message (msgid=f0915402) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 168
%ASA-7-715047: Group = 140.32.132.73, IP = 140.32.132.73, processing hash payload
%ASA-7-715047: Group = 140.32.132.73, IP = 140.32.132.73, processing SA payload
%ASA-7-715047: Group = 140.32.132.73, IP = 140.32.132.73, processing nonce payload
%ASA-7-715047: Group = 140.32.132.73, IP = 140.32.132.73, processing ID payload
%ASA-7-714011: Group = 140.32.132.73, IP = 140.32.132.73, ID_IPV4_ADDR_SUBNET ID received--10.10.40.0--255.255.255.0
%ASA-7-713035: Group = 140.32.132.73, IP = 140.32.132.73, Received remote IP Proxy Subnet data in ID Payload:   Address 10.10.40.0, Mask 255.255.255.0, Protocol 0, Port 0
%ASA-7-715047: Group = 140.32.132.73, IP = 140.32.132.73, processing ID payload
%ASA-7-714011: Group = 140.32.132.73, IP = 140.32.132.73, ID_IPV4_ADDR_SUBNET ID received--10.10.10.0--255.255.255.0
%ASA-7-713034: Group = 140.32.132.73, IP = 140.32.132.73, Received local IP Proxy Subnet data in ID Payload:   Address 10.10.10.0, Mask 255.255.255.0, Protocol 0, Port 0
%ASA-7-713906: Group = 140.32.132.73, IP = 140.32.132.73, QM IsRekeyed old sa not found by addr
%ASA-7-713221: Group = 140.32.132.73, IP = 140.32.132.73, Static Crypto Map check, checking map = outside_map, seq = 1...
%ASA-7-713222: Group = 140.32.132.73, IP = 140.32.132.73, Static Crypto Map check, map = outside_map, seq = 1, ACL does not match proxy IDs src:10.10.40.0 dst:10.10.10.0
%ASA-7-713221: Group = 140.32.132.73, IP = 140.32.132.73, Static Crypto Map check, checking map = outside_map, seq = 2...
%ASA-7-713222: Group = 140.32.132.73, IP = 140.32.132.73, Static Crypto Map check, map = outside_map, seq = 2, ACL does not match proxy IDs src:10.10.40.0 dst:10.10.10.0
%ASA-7-713221: Group = 140.32.132.73, IP = 140.32.132.73, Static Crypto Map check, checking map = outside_map, seq = 3...
%ASA-7-713222: Group = 140.32.132.73, IP = 140.32.132.73, Static Crypto Map check, map = outside_map, seq = 3, ACL does not match proxy IDs src:10.10.40.0 dst:10.10.10.0
%ASA-3-713061: Group = 140.32.132.73, IP = 140.32.132.73, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.10.40.0/255.255.255.0/0/0 local proxy 10.10.10.0/255.255.255.0/0/0 on interface outside
%ASA-7-713906: Group = 140.32.132.73, IP = 140.32.132.73, sending notify message
%ASA-7-715046: Group = 140.32.132.73, IP = 140.32.132.73, constructing blank hash payload
%ASA-7-715046: Group = 140.32.132.73, IP = 140.32.132.73, constructing qm hash payload
%ASA-7-713236: IP = 140.32.132.73, IKE_DECODE SENDING Message (msgid=2150743a) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 224
%ASA-3-713902: Group = 140.32.132.73, IP = 140.32.132.73, QM FSM error (P2 struct &0xcd208978, mess id 0xf0915402)!
%ASA-7-715065: Group = 140.32.132.73, IP = 140.32.132.73, IKE QM Responder FSM error history (struct &0xcd208978)  , :  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
%ASA-7-713906: Group = 140.32.132.73, IP = 140.32.132.73, sending delete/delete with reason message
%ASA-3-713902: Group = 140.32.132.73, IP = 140.32.132.73, Removing peer from correlator table failed, no match!
YPG-ASA5520-1#
YPG-ASA5520-1#

Re: VPN Tunnel up, But cannot ping across it??

add the line

access-list outside_3_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.40.0 255.255.255.0

on 5520

thanks

manish

Community Member

Re: VPN Tunnel up, But cannot ping across it??

i added it, still doesnt work. 10.10.40.0 /24 is a old subnet that we are no longer using. the equipment is now on 10.10.50.0 /24

Re: VPN Tunnel up, But cannot ping across it??

ok , if you are not using it then remove it from both ASA's and remove the crypto map's on both sides and reapply them.

make sure you do that with downtime request as removing crypto map and reapply will stop all tunnels.

Thanks

Manish

Cisco Employee

Re: VPN Tunnel up, But cannot ping across it??

Hi,

to clean up a bit the situation (as you made many changes so far) , can you please attach (no copy past) the following:

1- configuration both peers

2- topology including peers and host you are pining from and pinging to

3- show crypto ipsec sa peer from both ASA

After that we will proceed with the troubleshooting.

Stefano

Community Member

Re: VPN Tunnel up, But cannot ping across it??

i currently do not have access to the computer needed to get this information. i will post as soon as i have access. i am pretty sure i have found the problem. it doesnt appear the packets are getting sent across the right VPN. There are multiple VPN's on the 5520 and the ACL list has mutiple ACL's trying to push the same 10.10.10.0 /24 subnet. ( Please see the show run above ). do you think it would help to isolat the ACL's with the 10.10.10.0 /24's to 1 single 10.10.10.0 address and make it a /32?

Community Member

Re: VPN Tunnel up, But cannot ping across it??

here is the file you requested. your help in this is greatly appreciated.

Also when i initiate a ping i notice on the ipsec SA that the

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14 will increase

but the ............#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0, do not increase.

Community Member

Re: VPN Tunnel up, But cannot ping across it??

Anyone see anything out of the ordinary in the config??

Cisco Employee

Re: VPN Tunnel up, But cannot ping across it??

configuration looks fine, well I see you do not have mirrored acl so you might want to go back to a proper config:

1- on remote ASA5520

no access-list outside_1_cryptomap extended permit ip 10.10.40.0 255.255.255.0 10.10.10.0 255.255.255.0

The only thing I can think of is if there is a NAT device in the middle.

Can you enable nat-t on both ASA:

ASA(config)#crypto isakmp nat-traversal

If it does not work, please open a TAC case so we can investigate further

Community Member

Re: VPN Tunnel up, But cannot ping across it??

I opened up a TAC case, they found that somewhere in the ISP connection between the two ASA the protocol ESP is being dropped. thanks for your help with this. i will consult with my ISP technicians to try to solve this problem.

Cisco Employee

Re: VPN Tunnel up, But cannot ping across it??

great, hope our suggestion helped.

Stefano

8741
Views
0
Helpful
29
Replies
CreatePlease to create content