05-03-2010 12:59 PM
I've been able to, with much trial and error, establish the tunnel between my main office, the ASA, and the remote office, the RVS4000.
However, I can't get traffic to work through the tunnel. I used the wizard to setup the tunnel on the ASA end, and then manually setup connection on RVS end. Do i need to add explicit settings to the firewall rules to allow traffic? It did add entries to the ACL list, so I assumed it should be working without additional settings. Any help appreciated.
gene
05-03-2010 01:03 PM
Hi,
By default on the ASA, all VPN traffic should be permitted without being checked by the outside ACL.
Check if you have the command: sysopt connection permit-vpn
Also, the interesting traffic should be a mirror on both ends.
The routing should be fine to reach the remote LAN through the tunnel.
You can enable: management-access inside
on the ASA and try to PING the inside IP from the RVS4000 local network.
Federico.
05-05-2010 06:35 AM
Frederico, thanks for the reply. I tried those, no joy. I continue to get destination host unreachable when pinging out or in, I get nothing in either logs to show it is getting to either device. I'm still trying, but not sure what to try from here.
Tunnel is stable, still connected. I can post any of the config if it will help.
TIA
gene
05-05-2010 07:23 AM
Gene,
Let's do the following:
Please post the output of:
sh cry isa sa
sh cry ips sa
From the ASA
Those commands should tell us if the tunnel is established and if traffic is passing through.
Federico.
05-05-2010 07:28 AM
Result of the command: "sh cry isa sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 67.60.168.34
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Result of the command: "sh cry ips sa"
interface: CableOne
Crypto map tag: CableOne_map, seq num: 1, local addr: 24.116.132.42
access-list CableOne_1_cryptomap permit ip 172.16.100.0 255.255.252.0 FriscoCenter 255.255.255.0
local ident (addr/mask/prot/port): (172.16.100.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (FriscoCenter/255.255.255.0/0/0)
current_peer: 67.60.168.34
#pkts encaps: 99, #pkts encrypt: 99, #pkts digest: 99
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 99, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 24.116.132.42, remote crypto endpt.: 67.60.168.34
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 10F0CC1C
inbound esp sas:
spi: 0x32C3D2C6 (851694278)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 13172736, crypto-map: CableOne_map
sa timing: remaining key lifetime (kB/sec): (3914999/28635)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000003FF
outbound esp sas:
spi: 0x10F0CC1C (284216348)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 13172736, crypto-map: CableOne_map
sa timing: remaining key lifetime (kB/sec): (3914994/28635)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Thanks
05-05-2010 07:34 AM
The tunnel is up and working.
I see packets flowing through the tunnel between the local LAN behind the ASA 172.16.100.0/22 and a remote network called FriscoCenter
Try the following:
Enable the command: management-access inside
Try to PING from the ASA to the remote side by doing: ping inside x.x.x.x (where x.x.x.x is an IP on the FriscoCenter)
Make sure that both LANs have a route to the remote network pointing to the VPN device.
Federico.
05-05-2010 08:03 AM
Hi,
1. When u say no traffic is flowing .. what do u mean you are unable to ping ?
2. How many tunnels are configued on ASA and on RVS4000?
I see the the traffic on the tunnel on ASA end.
- Check the access-list again.(subnet mask)
- Clear the tunnel on ASA end. (clear crypto isakmp sa) or (clear crypto isakmp sa perr x.x.x.x)
Regards,
Pravin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide