cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1504
Views
5
Helpful
8
Replies

ACL on Site 2 Site VPN

nomis8831
Level 1
Level 1

Hi, we had and Issue last Week that Rob Ingram helped with however that went wrong about two days later for some unknown reason so I ended up recreating the tunnel and I think I have an issue can someone confirm that I seeing is the wrong thing.

Like last time the tunnel is up but no data is going across the VPN, it's not the same issue as it was last time but looking at the IPSec side I'm the access list is using the external IPs and not the Internal IPs 

 

sh crypto ipsec sa peer 2.2.2.2
peer address: 2.2.2.2
Crypto map tag: Outside_map, seq num: 3, local addr: 1.1.1.1

access-list OO_temp_Outside_map3 extended permit ip host 1.1.1.1 host 2.2.2.2
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer: 2.2.2.2

 

If the do:#sh run access-list OO_temp_Outside_map3, nothing is returned however there is an active ACL in the list if

I do :# sh run access-list Outside_cryptomap_2 this is returned and that is correct
access-list Outside_cryptomap_2 extended permit IP object VLAN_Server_LAN object WBTC_Network

 

So how do I get rid of the OO_temp_Outside_map3 and get the VPN to use Outside_cryptomap_2 ALC

 

Thanks, Simon

 

1 Accepted Solution

Accepted Solutions

This OO_temp_ crypto map seems to relate your "originate-only" configuration defined under the crypto map. Can you remove that configuration (for testing at least).

 

no crypto map Outside_map 3 set connection-type originate-only

 

Reference:-

https://community.cisco.com/t5/vpn/ipsec-l2l-tunnel-hangs-until-cleared-has-second-sa/td-p/2721852

 

Bug/Resolution:-

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCse30102

View solution in original post

8 Replies 8

Hi,

Are you natting over the VPN tunnel?

Can you provide the full configuration, the full output of "show nat detail" and "show crypto ipsec sa"

Hello, again Rob,

I can send you a full config with the real IPs and password sanitized if that helps just not keen on posting it directly.  in the meantime, I have attached the requested output

 

Simon

OK send me a private message with your configuration and I'll have a look.

From the information you provided, IPSec SA might appear to have been formed, but no encaps|decaps

This OO_temp_ crypto map seems to relate your "originate-only" configuration defined under the crypto map. Can you remove that configuration (for testing at least).

 

no crypto map Outside_map 3 set connection-type originate-only

 

Reference:-

https://community.cisco.com/t5/vpn/ipsec-l2l-tunnel-hangs-until-cleared-has-second-sa/td-p/2721852

 

Bug/Resolution:-

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCse30102

Hi Rob, did that, as soon as I remove it the tunnel (closed) is dropped, added it back in, tunnel state change to open but still unable to ping DC from the remote site.

 

Simon

Now the tunnel has re-established can you provide the output of "show crypto ipsec sa" please.

Hi Rob, is that with or without the crypto map Outside_map 3 set connection-type originate-only in place or removed?

 

Simon

Without please