The VPN tunnel can fail to come up on the router if traffic hits the deny ip any any statement before the permit statements in the access-group bound to the outside interface.
Once the traffic reaches the outside interface of the router, the router checks it against the access-group. If the deny statement comes before the permit statements, the router drops the packet even if interesting traffic is permitted in the permit statement.
In order to resolve this issue, make sure that permit statements come before the deny ip any any statement in the access-group bound to the outside interface.
Here are a few other common reasons:
The wrong IP address is configured in the pre-share key or crypto map.
The crypto map is not bound to the outside interface.
There are mis-matched access control lists on the peers.
I am converting a existing ASA to FMC/FTD (6.4) and using the Firepower migration tool (v. 1.3.1-3051). During the "review and validation" I am wanting to change the mgmt IP (Diagnostic1/1) so that it doesn't overlap with the existing production ASA...
HiI run an MPLS backbone and try to find a way to implement Cisco GET VPN.For historical reasons, we have MPLS running on the CE devices at the customer site. That means the whole path from the customer site A, through our core till customer site B is MPL...
Have run through the steps on the EVE support site. Sometimes the device gets an IP and the GUI comes up, but will not allow me to login.Sometimes the device does not get an IP at all. I'm running the lab from my PC which is an i7 with 16GB of RAM and a 1...
Hello;I have a CISCO asa 5505 running on 9.2.4(27) and it is working with lots of configurations. I want to downgrade to the recommended version 9.1.7(32) interim. what is the procedure to do this?Can I simply put this version disk o disk0:/ and repl...
I decided to post something that may be useful to others looking at the Single Click Sponsor Portal Functionality in ISE 2.2+. I had a weird issue in our environment where some sponsors were able to use the tokenized single-click link from their ema...