Hello

I started and new job and did not have past experance with ASA/VPN. I'm trying to learn on the fly. But i'm stuck, My tunnel is up, but i dont get anytraffic passing.

I looked and I see packet being encrypted but no recive packets

the VPN3000 shows the same thing a tunnel but only transmit or nothing.

I compared the config from a known good working box and matched them as close as possible. I have tried diffenert ASA and different conentrators to rule out hardware

non work box

!
hostname sa-hostname
names
!
!
interface Vlan1
 nameif inside
 security-level 100
 dhcp client update dns server both
 ip address 172.25.x.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
 no shut
!
interface Ethernet0/1
 no shut
!
interface Ethernet0/2
shut
!
interface Ethernet0/3
shut
!
interface Ethernet0/4
shut
!
interface Ethernet0/5
shut
!
interface Ethernet0/6
 no shut
!
interface Ethernet0/7
 no shut
!
boot system disk0:/version on device
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group xxxx.xxx.com
 retries 4
 timeout 10
 name-server 10.1.1.110
 name-server 10.8.16.110
 domain-name xxxx.xxx.com
object network obj_any
 subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/version on device
no asdm history enable
arp timeout 14400
!
object network obj_any
 nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
snmp-server location Indvidual assigned to device
snmp-server contact Network Services
no snmp-server enable
telnet timeout 1
ssh 10.0.0.0 255.0.0.0 inside
ssh 172.0.0.0 255.0.0.0 inside
ssh timeout 5
console timeout 5
management-access inside
dhcpd dns 10.1.1.110 10.8.16.110
dhcpd lease 43200
dhcpd ping_timeout 750
dhcpd domain xxxx.xxx.com
dhcpd auto_config outside
dhcpd update dns both
!
dhcpd address 172.25.x.5-172.25.x.6 inside
dhcpd update dns interface inside
dhcpd enable inside
!
vpnclient server 66.x.x.x
vpnclient mode network-extension-mode
vpnclient vpngroup xxxx password xxxx
vpnclient username xxxx password xxxx
vpnclient enable
priority-queue inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authentication-key 5 md5 serve-only
ntp authenticate
ntp server 10.0.0.2 source inside
ntp server 10.0.0.3 source inside
ntp server 10.3.0.2 source inside
ntp server 10.3.0.3 source inside
username xxxx password xxxx privilege 15
enable password xxxx
!
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 10.0.1.4
 timeout 15
 key Clonewars*
aaa-server TACACS+ (inside) host 10.3.1.4
 timeout 15
 key Clonewars*
aaa-server RADIUS protocol radius
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication serial console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting ssh console TACACS+
aaa accounting command TACACS+
aaa accounting enable console TACACS+
!
class-map Voice
 match dscp cs5
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect dns preset_dns_map
  inspect http
  inspect ip-options
policy-map Voicepolicy
 class Voice
  priority
!
service-policy global_policy global
service-policy Voicepolicy interface inside
prompt hostname context
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily

crypto key generate rsa general-keys modulus 1024

working- i comparde these and added anything to the above that was missing. I also configured the VPN 3000 to work with the above. witch was basically just a user name set to the group configs.

sh run
: Saved
:
: Serial Number: JMX1527Z02F
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(2)4
!
hostname xxxxx
enable password xxxxxxxxxx encrypted
passwd xxxxxxxxxx encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 shutdown
!
interface Ethernet0/3
 shutdown
!
interface Ethernet0/4
 shutdown
!
interface Ethernet0/5
 shutdown
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 dhcp client update dns server both
 ip address 172.25.x.1 255.255.255.248
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!

boot system disk0:/asa922-4-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group xxxx.xxx.com
 retries 4
 timeout 10
 name-server 10.1.1.110
 name-server 10.8.16.110
 domain-name xxxx.xxx.com
object network obj_any
 subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server RADIUS protocol radius
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 10.0.1.4
 timeout 15
 key *****
aaa-server TACACS+ (inside) host 10.3.1.4
 timeout 15
 key *****
user-identity default-domain LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa accounting command TACACS+
aaa accounting enable console TACACS+
snmp-server location xxxxxxx
snmp-server contact Network Services
no snmp-server enable
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
crypto isakmp identity hostname
crypto ikev1 policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh scopy enable
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 inside
ssh 172.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 5
management-access inside
vpnclient server 66.x.x.x
vpnclient mode network-extension-mode
vpnclient vpngroup xxxxx password *****
vpnclient username xxxxxx password *****
vpnclient enable
dhcpd dns 10.1.1.110 10.8.16.110
dhcpd lease 43200
dhcpd ping_timeout 750
dhcpd domain xxxx.xxx.com
dhcpd auto_config outside
dhcpd update dns both
!
dhcpd address 172.25.x.5-172.25.x.6 inside
dhcpd update dns interface inside
dhcpd enable inside
!
priority-queue inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authentication-key 5 md5 *****
ntp authenticate
ntp server 10.252.252.57 source inside
ntp server 10.252.252.1 source inside prefer
tftp-server inside 10.1.5.240 /
username xxxxxxxxxx password xxxxxxxxxx encrypted privilege 15
!
class-map Voice
 match dscp cs5
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect http
policy-map Voicepolicy
 class Voice
  priority
!
service-policy global_policy global
service-policy Voicepolicy interface inside
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:c7873639013b549e649c773faaa179b8
: end