Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
0
Helpful
4
Replies

Error Vpn site-to-site connected but no network access between asa 5505 and rv130w

osvaldoo.rodrigues
Level 1
Level 1

‎08-09-2016 08:38 AM

I created a VPN site-to-site between a ASA5505 and rv130w, but a network does not communicate with each other.

Help me please.

Configurations of ASA 5505:

IP WAN: xxx.xxx.xxx.xxx
IP do Peer: xxx.xxx.xxx.xxx
Pré-Shared Key: xxxxxx
TunelGroup Name: VPN_LOJA
IKE Policy
Encryptation: 3DES
Authentication: SHA
DH Group:2

IPsec Policy
Encryptation: 3DES
Authentication: SHA
PFS: Enabled
DH Group:2
Local Address: 192.168.1.0/24
Remote Address: 192.168.0.0/24

Configurations of RV130W:

Ike Policy Configuration

IKE Policy Configuration

 Edit VPN Policy Configuration:

Edit VPN Policy Configuration

Edit VPN Policy Configuration

Commands of ASA 5505

Result of the command: "show crypto isakmp sa"

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 179.159.73.226
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

Result of the command: "show crypto ipsec sa"

interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 187.11.204.223

access-list outside_1_cryptomap permit ip 192.168.1.0 255.255.255.0 Filial_Indaia 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Filial_Indaia/255.255.255.0/0/0)
current_peer: 179.159.73.226

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 187.11.204.223, remote crypto endpt.: 179.159.73.226

path mtu 1492, ipsec overhead 58, media mtu 1500
current outbound spi: 306E9824

inbound esp sas:
spi: 0x17A2C960 (396544352)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 704512, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 27819
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x306E9824 (812554276)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 704512, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 27819
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Result of the command: "packet-tracer input inside icmp 192.168.1.8 0 0 192.168.0.2"

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Labels:
0 Helpful
4 Replies 4

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎08-09-2016 05:34 PM

Hi,

Could you check if you are denying this traffic on the inside ACL on ASA ?

Also share the output of show run all sysopt from the ASA .

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

osvaldoo.rodrigues
Level 1
Level 1
In response to Aditya Ganjoo

‎08-10-2016 12:43 PM

Hi,

thanks for the answer.

The traffic on the inside its normally.

Below the result command:

Result of the command: "show run all sysopt"

no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
no sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt nodnsalias inbound
no sysopt nodnsalias outbound
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp backup
no sysopt noproxyarp outside

0 Helpful

osvaldoo.rodrigues
Level 1
Level 1
In response to osvaldoo.rodrigues

‎08-10-2016 01:29 PM

Additional information: when set the option "Identity to Be Sent to Peer" for "Address", VPN tunnel connect.

If set option to "Host", tunnel connect and down.

0 Helpful

osvaldoo.rodrigues
Level 1
Level 1
In response to osvaldoo.rodrigues

‎08-25-2016 07:22 AM

Someone?

0 Helpful
Customers Also Viewed These Support Documents