Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1116
Views
0
Helpful
3
Replies

IPsec VPN Issue

thihher_cco
Level 1
Level 1

‎07-11-2011 11:58 PM - edited ‎02-21-2020 05:26 PM

Dear everybody,

        I meet a strange question about IPSec VPN between '' C3945 A---ASA5540 A----------Internet----------ASA5540 B---C3945 B ",I set ipsec vpn between ASA5540,and set Tunnel between C3945.the C3945 Configuration as follow:

C3945 A                                                                                    C3945 B

interface Tunnel10                                                                       interface Tunnel10

ip address 172.18.1.225 255.255.255.252                                      ip address 172.18.1.226 255.255.255.252

tunnel source 172.17.0.1                                                              tunnel source 172.17.1.121

tunnel destination 172.17.1.121                                                     tunnel destination 172.17.0.1

 

the strange issue is like that:

  On C3945A : I can ping 172.17.1.121 with the source address 172.17.0.1,but can't ping 172.18.1.226

  On C3945B : I can ping 172.17.0.1 with the source address 172.17.1.121,but can't ping 172.18.1.225

So please someone who knows the question help me !

thanks

Thihher

Labels:
0 Helpful
3 Replies 3

thihher_cco
Level 1
Level 1

‎07-12-2011 12:03 AM

Sorry I must be add something other to avoid misunderstanding:

the strange issue is like that:

  On C3945A : I can ping 172.17.1.121 with the source address 172.17.0.1,but can't ping 172.18.1.226 with the source address 172.18.1.225

  On C3945B : I can ping 172.17.0.1 with the source address 172.17.1.121,but can't ping 172.18.1.225 with the source address 172.18.1.226

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to thihher_cco

‎07-12-2011 12:07 AM

Is the IPSec VPN actually up?

Please check the status of from the ASA:

- show cry isa sa

- show cry ipsec sa

Please check the status of from the router:

- show ip int bri

If the IPSec VPN is not up, then you won't be able to pass traffic through the GRE tunnel, ie: can't ping the tunnel interface.

0 Helpful

thihher_cco
Level 1
Level 1
In response to Jennifer Halim

‎07-18-2011 04:30 AM

hello Jennifer,

   Thanks for your reply, and I check the status on ASA 1

show crypto isa sa

IKE Peer: *.*.*.*
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_ACTIVE


show crypto ipsec sa | b seq num: 680

    Crypto map tag: wanmavpn, seq num: 680, local addr: *.*.*.*

      access-list SDPenglaidongguan permit ip host 172.17.0.2 host 172.17.1.68
      local ident (addr/mask/prot/port): (172.17.0.2/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (172.17.1.68/255.255.255.255/0/0)
      current_peer: *.*.*.*, username: DefaultRAGroup
      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: *.*.*.*, remote crypto endpt.: *.*.*.*
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 28A9639F

    inbound esp sas:
      spi: 0xB763709E (3076747422)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1740800, crypto-map: wanmavpn
         sa timing: remaining key lifetime (sec): 2814
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00007FFF
    outbound esp sas:
      spi: 0x28A9639F (682189727)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 1740800, crypto-map: wanmavpn
         sa timing: remaining key lifetime (sec): 2814
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

and from the Router 1, I can see that

interface Tunnel680

ip address 172.19.1.13 255.255.255.252

tunnel source 172.17.0.2

tunnel destination 172.17.1.68

show ip interface brief

Tunnel680                  172.19.1.13     YES manual up                    up

on the other end of the IPSec VPN,the status of IPsec VPN on ASA and Router is the same sa the above

From above,we can see the IPSec VPN is up,but I can ping 172.17.1.68 with the source 172.17.0.2 on Router 1,but I can't ping 172.19.1.14 with the source 172.19.1.13.

There is another strange question: if you don't change any thing on the ASA and Router ,after some time, I can ping each other tunnel address ,it means that the ipsec vpn seems works good.

0 Helpful
Customers Also Viewed These Support Documents