Solved: IPSEC tunnel up - traffic not passing. TTL Expired on one side.

jpierson · ‎01-16-2012

Soho office:

Site a, ASA 5505

10.29.0.xx/24

Main office:

Site b, ASA 5540

10.75.0.xx/24

Tunnel establishes - phase one and two look good. Packet tracer completes successfully from both sides. A client at the soho site can send pings to 10.75.0.xx but recieves no response. I can see the build and teardown on the firewall at the soho side, but I'm not getting a response. When I kill the tunnel, sending a ping will reestablish it from the soho side.

From the main office side, pings sent to 10.29.0.xx return: "TTL Expired in Transit". A traceroute shows the packet looping in the firewall. The ACLs look good, the crypto maps look good, and there are no explicit routes pointing elsewhere. If I drop the tunnel, sending pings from the main office side will not rebuild the tunnel.

Any idea what I'm missing here or what direction to head next?

-JP

andrew.prince · ‎01-17-2012

Post configs for review

View solution in original post

andrew.prince · ‎01-17-2012

Post configs for review

jpierson · ‎01-17-2012

RESOLVED

The issue was in fact, a routing loop.

The routes applied on the central office side pointed ALL internal traffic back towards the interior network. An explicit route pointing 10.29.xx.xx traffic out resolved the issue.

DrAgKurt2 · ‎10-21-2013

what exactly did you do to resolve the problem? I'm also getting this error message. I used route-map and set ip default next-hop. appreciate your soonest response.