Cisco Support Community
Community Member

VPN end to end communication problem 887w/PIX

Hi All,

We have several Home Workers who establish a VPN tunnel to a PIX using a mixture of 871/877/851 routers.

We've  just replaced a single user's failed 877w with an 887w, who is now  unable to establish end to end communication through the VPN tunnel.   The PIX is located at our main office ( with this  particular user's 887w located at his house (  All  other traffic inbound/outbound is established normally.

The IPSec tunnel is established successfully and I can  ping from/to the Main Office to the User's Router (,  however I cannot ping past the user's router (both directions).  It  suggests an Access List problem with the Crypto Map statement, but I  cannot for the life of me see any problem with the config.

I've listed a copy of the 887 config below and would appreciate any help.  ACL 102 is the NAT list specifically denying IPSec Interesting traffic but allowing other traffic.  ACL 103 is matching interesting traffic from the User's source to Main Office.  The PIX side remains unchanged and follows the same config that all other Tunnels are established on.



logging buffered 4096
enable secret 5 $1$s9Ps$BviAwMjwn3Kn7BC4pGQG2.
no aaa new-model
memory-size iomem 10
crypto pki trustpoint TP-self-signed-411178974
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-411178974
revocation-check none
rsakeypair TP-self-signed-411178974
crypto pki certificate chain TP-self-signed-411178974
certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34313131 37383937 34301E17 0D313031 31303231 35343131
  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3431 31313738
  39373430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  C964D001 67A4BEE0 71AEF585 E02BCF3B B7C82EA0 B828DFD8 942B25D1 24D603AA
  115FBA0F F8DEE230 D519AC67 3241EF97 50E44C27 A5A6776B CD0EA5E0 85B1E002
  9C3AFA36 35CE9023 A3326969 7818722B 991C4DE0 4F2EFA40 BC2BDD65 C50450A8
  BBCF7036 82BB2A5C 481C97CF C1324534 7D13477E 1F63998E 1CD41D85 3E3779B3
  02030100 01A37930 77300F06 03551D13 0101FF04 05300301 01FF3024 0603551D
  11041D30 1B82196A 65383737 772E6E65 63696E66 726F6E74 69612E63 6F2E756B
  301F0603 551D2304 18301680 14E73040 B11B4BC0 52BEE6CF 6622BA8E 11B6AAA9
  FB301D06 03551D0E 04160414 E73040B1 1B4BC052 BEE6CF66 22BA8E11 B6AAA9FB
  300D0609 2A864886 F70D0101 04050003 81810006 4DEBCD29 9602D37F 74139BF8
  B93B369C 9C599955 BC5120EF 0D95D4B9 4C0A58BF CDD65594 EDFED3FA 03484CDC
  80A0748A 7792C0B4 EE11575A 46FF3B61 1A4D2790 408B4ED3 729ED014 8E46B18F
  31996B4E 37FEAC17 96D48583 8BE4D70C 2A75A290 96B27A3B CB43E754 83462B66
  16BCFB9B 42CF22C8 153D00C2 23BCF796 1D923C
no ip source-route
ip dhcp excluded-address
ip dhcp excluded-address
ip dhcp pool vlan1
   import all
   lease 7
ip cef
no ip bootp server
ip domain name
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sip
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ipv6 cef
license udi pid CISCO887W-GN-E-K9 sn FCZ1441C2FK
log config
username privilege 15 password 7 0823494202100B
ip ssh time-out 60
ip ssh authentication-retries 2
class-map match-any VOIP_Traffic_Class
match ip precedence 5
policy-map Voip_Policy
class VOIP_Traffic_Class
    priority 40
class class-default
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key DynamicHomeU5er5 address 83.x.x.x
crypto ipsec transform-set dyn-set esp-3des esp-sha-hmac
crypto map dyn 10 ipsec-isakmp
description Tunnel to83.x.x.x
set peer 83.x.x.x
set transform-set dyn-set
set pfs group2
match address 103
bridge irb
interface BRI0
no ip address
encapsulation hdlc
isdn termination multidrop
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip accounting access-violations
ip virtual-reassembly
no atm ilmi-keepalive
interface ATM0.1 point-to-point
description $ES_WAN$
ip address dhcp
ip access-group 101 in
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
atm route-bridged ip
crypto map dyn
pvc 0/101
  vbr-nrt 488 488
  oam-pvc manage
  encapsulation aal5snap
  service-policy out Voip_Policy
interface FastEthernet0
spanning-tree portfast
interface FastEthernet1
spanning-tree portfast
interface FastEthernet2
spanning-tree portfast
interface FastEthernet3
spanning-tree portfast
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered BVI1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
interface Vlan1
no ip address
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
ip address
ip dns view-group myco_viewlist
ip nat inside
ip virtual-reassembly
ip forward-protocol nd
ip http server
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip dns view myco
domain name-server
domain name-server
dns forwarder
dns forwarder
dns forwarding source-interface BVI1
ip dns view default
domain name-server
domain name-server
dns forwarder
dns forwarder
dns forwarding source-interface BVI1
ip dns view-list default
ip dns view-list myco_viewlist
view myco 5
  restrict name-group 10
view default 10
ip dns name-list 10 permit .*
ip dns name-list 10 permit .*
ip dns server
ip nat inside source list 102 interface ATM0.1 overload
ip route dhcp
access-list 101 remark Incoming Firewall
access-list 101 permit udp host eq ntp any eq ntp
access-list 101 permit udp host 83.x.x.x any eq non500-isakmp
access-list 101 permit udp host 83.x.x.x any eq isakmp
access-list 101 permit esp host 83.x.x.x any
access-list 101 permit ahp host 83.x.x.x any
access-list 101 permit ip
access-list 101 permit ip host 83.x.x.x any
access-list 101 permit udp host eq domain any gt 1023
access-list 101 permit udp host eq domain any gt 1023
access-list 101 permit udp any any eq bootpc
access-list 101 permit udp any any eq bootps
access-list 101 permit udp any any eq domain
access-list 102 remark NAT Rule
access-list 102 deny   ip
access-list 102 permit ip any
access-list 103 remark IPSec Rule to Cyrpto Map
access-list 103 permit ip
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCCCCAuthorized access onhorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
logging synchronous
no modem enable
transport output telnet
speed 115200
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
password 7 070D2440450017
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server

Cisco Employee

Re: VPN end to end communication problem 887w/PIX


I would be nice to do a ping that fails from the lan then from the hub, and then check "show crypto ipsec sa" to see if we have encaps and/or decaps increasing. For example, try to send 100 packets with timeout 0 so you can quickly check the counters that increased by 100.

If you suspect ACL issue, you can also take a "show access-list 103" and see if the counter increase. You can add an explicit deny ip any any on ACL last line to see that counter.

You are probably running a recent IOS you can also search for drops in CEF using "show ip cef switching statistics" and "show ip cef switching statistics feature".

Also, why did you add your vlan interface in a bridge group? I'm actually not sure if this is supported, you could try to use the vlan interface directly.



CreatePlease to create content