Hi, we had and Issue last Week that Rob Ingram helped with however that went wrong about two days later for some unknown reason so I ended up recreating the tunnel and I think I have an issue can someone confirm that I seeing is the wrong thing.
Like last time the tunnel is up but no data is going across the VPN, it's not the same issue as it was last time but looking at the IPSec side I'm the access list is using the external IPs and not the Internal IPs
sh crypto ipsec sa peer 2.2.2.2
peer address: 2.2.2.2
Crypto map tag: Outside_map, seq num: 3, local addr: 1.1.1.1
access-list OO_temp_Outside_map3 extended permit ip host 1.1.1.1 host 2.2.2.2
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer: 2.2.2.2
If the do:#sh run access-list OO_temp_Outside_map3, nothing is returned however there is an active ACL in the list if
I do :# sh run access-list Outside_cryptomap_2 this is returned and that is correct
access-list Outside_cryptomap_2 extended permit IP object VLAN_Server_LAN object WBTC_Network
So how do I get rid of the OO_temp_Outside_map3 and get the VPN to use Outside_cryptomap_2 ALC
Thanks, Simon
Solved! Go to Solution.
This OO_temp_ crypto map seems to relate your "originate-only" configuration defined under the crypto map. Can you remove that configuration (for testing at least).
no crypto map Outside_map 3 set connection-type originate-only
Reference:-
https://community.cisco.com/t5/vpn/ipsec-l2l-tunnel-hangs-until-cleared-has-second-sa/td-p/2721852
Bug/Resolution:-
Hi,
Are you natting over the VPN tunnel?
Can you provide the full configuration, the full output of "show nat detail" and "show crypto ipsec sa"
This OO_temp_ crypto map seems to relate your "originate-only" configuration defined under the crypto map. Can you remove that configuration (for testing at least).
no crypto map Outside_map 3 set connection-type originate-only
Reference:-
https://community.cisco.com/t5/vpn/ipsec-l2l-tunnel-hangs-until-cleared-has-second-sa/td-p/2721852
Bug/Resolution:-
Hi Rob, did that, as soon as I remove it the tunnel (closed) is dropped, added it back in, tunnel state change to open but still unable to ping DC from the remote site.
Simon
Hi Rob, is that with or without the crypto map Outside_map 3 set connection-type originate-only in place or removed?
Simon