Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Site to Site VPN Tunnel

Hello Everyone,

I'm hoping someone will be able to help me figure out an issue that I'm having. I'm sure it's something simple that I'm missing.  What I have is a site to site vpn tunnel between a Cisco 2801 and a Cisco 1841 router.  The tunnel itself is up and running without a problem.  My issue is that I am unable to get traffic across the tunnel between the two sites.  For instance, I try to ping a computer in Site B from Site A and I get no response.  Try to run a tracert in Windows and it drops off at the router and goes no where.

Any ideas on what I may be missing?  I know the configuration information will help so let me know which pieces you'll need to see for that.

Regards,

Jason

Everyone's tags (5)
4 REPLIES

Re: Site to Site VPN Tunnel

Jason,

Check on both routers the output of the command ''sh cry ips sa''

Sometimes one side is encrypting packets but the other side is not, so that will let us know where the problem is.

Also, if you cannot pass traffic through the tunnel, normally is one of this problems.

- check the routing

- check that you're bypassing NAT for the interesting traffic (in case you're doing NAT)

- check that the default gateway for the internal LANs on both sides are the respective routers

- check that ESP and ISAKMP 500 and ISAKMP 4500 are not being blocked.

Federico.

Re: Site to Site VPN Tunnel

Hi Jason,

Check the ISAKMP first phase "sh cry isa sa" and second phase "sh cry ipsec sa"

Phase1:

* Assuming you use preshared key, make sure the remote VPN peer IP address and key match between two VPN device configuration
* Check the Phase 1 VPN tunnel up/down status between two sites. In Cisco equipment, you can issue the show crypto isakmp sa command or feature which will show the up/down tunnel status between local VPN peer IP address and remote VPN peer IP address.
* Issue simple connection test to the remote site (the remote VPN peer IP address) such as ICMP ping and traceroute (whenever possible)
* Reboot one or both VPN devices sometime might solve VPN connectivity issue

Phase2:

* Make sure the data source and destination IP addresses or subnets match the regulating access list
* Check the data passing process between the two sites. In Cisco equipment, you can issue the show crypto ipsec sa command or feature which will show the SA (Security Association) between encrypted traffic (outgoing data) and decrypted traffic (incoming data)

Regards,

Naidu.

New Member

Re: Site to Site VPN Tunnel

I have a new tidibit to add that I just noticed as I was gathering some more information together.  The status of the tunnel comes up saying that it is UP-ID

LE, not UP-ACTIVE.

Thoughts?

I'm working on cleaning up the configs in terms of blanking out some info that's not pertinent and will post those shortly.

Jason

Re: Site to Site VPN Tunnel

Hi

Can you post the ACL that you configured in both router for intresting traffic and if you.

Regards

Chetan kumar

12706
Views
0
Helpful
4
Replies
CreatePlease to create content