Solved: Re: ACL on Site 2 Site VPN

nomis8831 · ‎08-17-2020

Hi, we had and Issue last Week that Rob Ingram helped with however that went wrong about two days later for some unknown reason so I ended up recreating the tunnel and I think I have an issue can someone confirm that I seeing is the wrong thing.

Like last time the tunnel is up but no data is going across the VPN, it's not the same issue as it was last time but looking at the IPSec side I'm the access list is using the external IPs and not the Internal IPs

sh crypto ipsec sa peer 2.2.2.2
peer address: 2.2.2.2
Crypto map tag: Outside_map, seq num: 3, local addr: 1.1.1.1

access-list OO_temp_Outside_map3 extended permit ip host 1.1.1.1 host 2.2.2.2
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer: 2.2.2.2

If the do:#sh run access-list OO_temp_Outside_map3, nothing is returned however there is an active ACL in the list if

I do :# sh run access-list Outside_cryptomap_2 this is returned and that is correct
access-list Outside_cryptomap_2 extended permit IP object VLAN_Server_LAN object WBTC_Network

So how do I get rid of the OO_temp_Outside_map3 and get the VPN to use Outside_cryptomap_2 ALC

Thanks, Simon

Rob Ingram · ‎08-17-2020

This OO_temp_ crypto map seems to relate your "originate-only" configuration defined under the crypto map. Can you remove that configuration (for testing at least).

no crypto map Outside_map 3 set connection-type originate-only

Reference:-

https://community.cisco.com/t5/vpn/ipsec-l2l-tunnel-hangs-until-cleared-has-second-sa/td-p/2721852

Bug/Resolution:-

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCse30102

View solution in original post

Rob Ingram · ‎08-17-2020

Hi,

Are you natting over the VPN tunnel?

Can you provide the full configuration, the full output of "show nat detail" and "show crypto ipsec sa"

nomis8831 · ‎08-17-2020

Hello, again Rob,

I can send you a full config with the real IPs and password sanitized if that helps just not keen on posting it directly. in the meantime, I have attached the requested output

Simon

Rob Ingram · ‎08-17-2020

OK send me a private message with your configuration and I'll have a look.

From the information you provided, IPSec SA might appear to have been formed, but no encaps|decaps

Rob Ingram · ‎08-17-2020

This OO_temp_ crypto map seems to relate your "originate-only" configuration defined under the crypto map. Can you remove that configuration (for testing at least).

no crypto map Outside_map 3 set connection-type originate-only

Reference:-

https://community.cisco.com/t5/vpn/ipsec-l2l-tunnel-hangs-until-cleared-has-second-sa/td-p/2721852

Bug/Resolution:-

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCse30102

nomis8831 · ‎08-17-2020

Hi Rob, did that, as soon as I remove it the tunnel (closed) is dropped, added it back in, tunnel state change to open but still unable to ping DC from the remote site.

Simon

Rob Ingram · ‎08-17-2020

Now the tunnel has re-established can you provide the output of "show crypto ipsec sa" please.

nomis8831 · ‎08-17-2020

Hi Rob, is that with or without the crypto map Outside_map 3 set connection-type originate-only in place or removed?

Simon

Rob Ingram · ‎08-17-2020

Without please