Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2126
Views
0
Helpful
5
Replies

VPN Phase 2 complete but LAN traffic doesn't pass

imuonagor
Level 1
Level 1

‎08-07-2011 01:01 AM

Just setup a site to site vpn between 2 ASA 5520 Firewalls in two locations but vpn doesn't work even though i see phase 2 completed on the logs. I can't ping across the LANs. Any ideas why this happens?

2 people had this problem
Labels:
0 Helpful
5 Replies 5

tj.mitchell
Level 4
Level 4

‎08-07-2011 01:47 PM

This usually happens because the traffic is being natted over the tunnel. Did you create the NoNat list for each side?

Sent from Cisco Technical Support iPad App

0 Helpful

jyothydas
Level 1
Level 1
In response to tj.mitchell

‎08-09-2011 02:04 AM

You have ACL set correctly? And hope you also have an ACL for icmp ( jus IP traffic wont work)

0 Helpful

Adam Handley
Level 1
Level 1

‎07-25-2014 06:01 AM

Hi,

Did you ever find a resolution for this problem? I am having the exact same issue at the moment with a ASA 5510 and a ASA 5505. Phase 2 is complete but i am unable to send any traffic over the tunnel.

Thanks

Adam

 

0 Helpful

Sheraz.Salim
VIP
VIP

‎02-23-2016 03:41 PM

i have the same problem who did you fix this issue?

please do not forget to rate.
0 Helpful

David Castro F.
Spotlight
Spotlight

‎03-06-2016 11:43 AM

Hello Imuonagor,

Could you plz share the run configs of both ASAs?, there a big set up of things that you should checked to make sure the traffic is allowed to go through, you may run a packet tracer, in order to see how the packet traverses and make sure that there is not a NAT statement translating your Source IPs to the interface or to another IPs, for example:

Local Side IP: 10.10.10.10

Remote Side IP: 192.168.1.20

packet-tracer input <Interface-name> icmp 10.10.10.10 8 0 192.168.1.20 detailed

Also make sure there is not an inbound acl applied to the originating interface (access-group), if there is one, add an acl to allow it, for testing purposes you may use the "Management-access <Interface-name>" command to allow an interface to ping across the VPN, after that an example:

- ping inside 192.168.1.20

If you can provide the running configs and the packet tracer, possibly this is NAT exemption what you are missing,

Please proceed to rate and mark as correct this post if it helped you, keep me posted!

Regards,


David Castro,

0 Helpful
Customers Also Viewed These Support Documents