cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Problem with Site to Site VPN. VPN Tunnel is down, but can ping

JoeSS8700
Beginner
Beginner

Ok, so I'm am trying to figure out why I can't get nothing to show up when I do sh crypto isakmp sa or sh crypto ipsec sa. I did the basic setup for a site to site vpn and I can ping across both networks just fine no problem. So when I ping from a pc in the 172.16.0.0 network to 192.168.0.0 network there is no problem at all because the pings are recieved just fine. But when I go to sh crypto isakmp sa, there is just nothing there and I can't for the life of me figure out why. I looked at my sh run for both routers and everything looks fine, but I guess I may be overlooking something. If someone could help me diagnose this problem I would truely appreciate. 

I have attached my packet tracer file and both routers are using the password binary. I also have the sh run of both routers also attached.

1 ACCEPTED SOLUTION

Accepted Solutions

I cannot see on any of the router 172.16.0.0/24, only 172.16.0.0/16 and I think this is the issue.

In Crypto ACL you have on branch router:

!

ip access-list extended S2S-VPN-TRAFFIC

permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255

shouldn't it be:

!

ip access-list extended S2S-VPN-TRAFFIC

permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.255.255

and of coursed mirrored on the the main router.

If this is not the case you are saying that some ping between 192.168.0.x and 172.16.0.x is going ok. Can you please point exactly which one? I could see that you attached some packet tracer, but I couldn't open it.

View solution in original post

11 REPLIES 11

Jennifer Halim
Cisco Employee
Cisco Employee

Are you sure they are routing it correctly?

Also on the main site, you should remove the crypto map on the trunk interface as it's incorrect:

interface FastEthernet0/1

description TRUNK TO MAIN SWITCH A

no crypto map vader

And on the branch site, remove the crypto map from fa0/1 if it's not required as you only need to apply them to the interface where the peer address is:

interface FastEthernet0/1

no crypto map vader

Then, try to do extended ping from the branch router, sourcing it from interface fa0/1, and see if you can ping something on 172.16.0.x subnet.

Alright, I removed the crypto map on the fa0/1 interface of both routers. I also tired pinging something from the 172.16.0.x subnet and I was able to ping just fine. I can pretty much ping across almost any where with a problem. Which confuses me more of why the VPN tunnel isn't showing up and why nothing shows in sh crypto idakmp sa.

If the VPN tunnel isn't showing up, it's most probably routing via a different path, not via the interface where the crypto map is applied.

Can you pls check the routing to see if it's routing correctly?