I have a cisco 1721 connected to a cable modem, and forming a site to site VPN tunnel with an aSA 5505. I was using EZVPN. A couple days ago, traffic stopped passing through the tunnel, although the tunnel was up. I tried setting it up as a sraight lan to lan, and still the same problem. I even changed where it terminated, from an ASA to a concentrator on a different ISP, and the exact same result: tunnel shows up up, the concentrator shows bytes in both directions, no errors, but just no traffic. I have tried several different encr/hashing methods and no change. The ASA and 3k concentrator are working, as I can connect using the client w/o an issue. Ther wierd thing is the 1721 is not using a hardware crypto card, so its ALL in software, and other than the VPN problem it is passing traffic normally. I also doubt the ISP just randomly started blocking VPN traffic, espeically since the tunnel comes up. Anyone seen this before or have an idea as to what the problem could be, or is it just likely the 1721's crypto engine is bad/corrupt? It is running 12.4 advanced security.
It would be useful to get some outputs from the asa and the router, like the show crypto isakmp sa detail and the show crypto ipsec sa detail from each, also remember that the fact that the vpn is establish does not really mean all is fine, ISAKMP establishment works on udp 500 and Encrypted traffic flows over ESP protocol which is a portless protocol. In the case where nat-t is enabled then you can be certain that once phase 1 is up phase 2 should pass as both use udp 4500 afer nat is detected.
I think the problem is at the head end, with the cable provider's netgear/comcast router. The funny thing is, the tunnel shows up, and the firewall even sees the icmp form/teardown, but no traffic is actuallyu flowing. I tested the site to site from another location and got the same result. comcast is replacing the gateway with an SMC one.
I set up a test L2L vpn on my backup connection(ATT static IP dsl), using aPIX 501 and got the same result: vpn tunnel shows up on phase one and two, but cannot ping or communicate, even though both sides are showing some info on the connections(connection establishments/teardowns, etc, byte counts, etc). However, I brought the PIX inside my comcast network, using one of my spare public IPs, and everything worked perfectly. That leads me to believe that the problem is ISP or ISP equipment related.
Community Live Event Video
Are you ready to level up your security? Learn more about how Cisco SecureX can help you simplify your security and maximize operational efficiency.
This event talks about Cisco SecureX, its benefits, features, and usage. Th...
Hi all,I cannot understand why is something working very well they create a way to complicate things in Cisco ASA OS. I have a rule :object network LOCAL_ADRESS1 host 192.168.20.12 nat (VLAN20,outside) source static LOCAL_ADRESS1 interface&...
It is our pleasure to officially announce the finalists in the 2021 IT Blog Awards. We are now looking to our amazing tech community to check out the amazing line up of bloggers, vloggers and podcasters. Make sure to vote for your favorites...
Community Live Event Slides
This event talks about Cisco SecureX, its benefits, features, and usage. The session includes sample use cases and live demonstrations.
Cisco expert Luis Silva talks about how this solution can integrate Cisco technology and ...
Hello All, Recently I got an opportunity to perform POC with Cisco ISE (2.7 Patch 4) and Aruba Wireless AP (IAP) to perform 802.1x EAP-FAST (machine + user) authentication followed by Posture Assessment on Windows 10 Machines (installed with AnyConnect 4....