Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1233
Views
0
Helpful
4
Replies

IPsec VPN Tunnel not initializing - intresting traffic ?

manuscript1
Level 1
Level 1

‎11-22-2016 01:33 AM - edited ‎02-21-2020 09:03 PM

Hi an easy one for somebody !

Have set up a VPN to a third party - remote ED is a 10.254.x.x address ....internal network is 10.0.0.0 0.0.0.255 .

The VPN does not start

I am sure the VPN is actually configured correctly and with an in /out acl which is in order .

I can see my ping packet in logs on the inside interface

I have added rules ( not that I think these are needed )

Do I need to add a route 10.254.x.x 255.255.255.255 is via the remote peer address ? or I a missing something else ?

Ta

Labels:
0 Helpful
4 Replies 4

teatrodelsogno
Level 1
Level 1

‎11-22-2016 05:19 AM

Hi,

what about the devices in the focus?

ASA router?!

regards

0 Helpful

manuscript1
Level 1
Level 1
In response to teatrodelsogno

‎11-22-2016 08:07 AM

Hi not sure what you are asking

I have changed the VPN remote ED to a 192.x.x.x address so there is no conflict in IP addressing - my asa does not seem to process the packet to VPN - it seems to treat it as a genuine outbound packet and sends out of outside interface - think im missing something fundamental for outbound VPN to trigger - its not teh acl thats right

regards

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to manuscript1

‎11-22-2016 08:13 AM

We do not have enough information to be able to identify what is the problem. If you will provide details of the configuration we might be able to help you find the issue. As a starting point you certainly need to be sure that the routing logic is sending traffic to the remote end through the interface that has the VPN. That might need a specific static route or it might be taken care of by the existing default route. Till we see some config details we can not know which it would be.

HTH

Rick

HTH

Rick
0 Helpful

manuscript1
Level 1
Level 1
In response to Richard Burts

‎11-22-2016 08:53 AM

HI Richard

here is the config - if i do a packet tracer source-  destination it follows a standard rule and gets dropped - no xlate . All inbound vpns work 100% . This is the first outbound tunnel initialization on this asa.

nothing in crypto-map

and packet tracer output ( see below )

sh access-list Outside_cryptomap_2
access-list Outside_cryptomap_2; 1 elements; name hash: 0x11f62eb
access-list Outside_cryptomap_2 line 1 extended permit ip object Server-Telephonetics object Net-TelephoneticsSource (hitcnt=0) 0xd923d0f3
access-list Outside_cryptomap_2 line 1 extended permit ip host 10.128.70.17 host 192.0.2.100 (hitcnt=0) 0xd923d0f3

Preview file
7 KB
0 Helpful
Customers Also Viewed These Support Documents