- Cisco Community
- Technology and Support
- Security
- VPN
- Site-to-Site VPN CAN'T REACH 1 OUT OF THREE NETWORKS
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Site-to-Site VPN CAN'T REACH 1 OUT OF THREE NETWORKS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2012 05:51 AM
I have a S2S VPN configured, and I can't get to the 10.127.0.0 network. The 10.128.0.0, and 10.126.0.0 have full access. If I ping a 10.127.0.0 address on the outside interface I get replies, but a ping to the same address on the inside I get no replies. That led me to believe that the config on my 5505 shown below is missing something, but I can't find it. Any help is much appreciated. Config is attached.
Thank you
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2012 08:10 AM
The configuration of your end appears OK. There could be a crypto map mismatch with your peer. There should be an IPSec security association (SA) for each network pair. e.g. your local 10.100.100.0/24 network (and host 1.1.1.1) to peer's 10.[126, 127, 128].0.0/16 networks.
Please check your VPN using "show crypto ipsec sa" to confirm that all your expected SAs are active.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2012 09:05 AM
Mr. Rhoads Thank you much for the reply.
Below I have a show crypto ipsec from both peers. It looks like I'm missing some decaps, but I'm a little foggy on this command.
5505 Show
Crypto map tag: vpnmap, seq num: 10, local addr: 1.1.1.1
access-list crypto extended permit ip 10.254.100.0 255.255.255.0 10.128.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.128.0.0/255.255.0.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 4302, #pkts encrypt: 4302, #pkts digest: 4302
#pkts decaps: 4337, #pkts decrypt: 4337, #pkts verify: 4337
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4302, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 3, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 3F8C19E8
current inbound spi : 533A5FFA
inbound esp sas:
spi: 0x533A5FFA (1396334586)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 69632, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3912972/27880)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x3F8C19E8 (1066146280)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 69632, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914469/27880)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 1.1.1.1
access-list crypto extended permit ip 10.254.100.0 255.255.255.0 10.126.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.126.0.0/255.255.0.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 177, #pkts encrypt: 177, #pkts digest: 177
#pkts decaps: 174, #pkts decrypt: 174, #pkts verify: 174
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 177, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B36148A9
current inbound spi : B6024AC4
inbound esp sas:
spi: 0xB6024AC4 (3053603524)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 69632, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914981/27901)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xB36148A9 (3009497257)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 69632, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914978/27900)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 1.1.1.1
access-list crypto extended permit ip 10.254.100.0 255.255.255.0 10.127.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.127.0.0/255.255.0.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 428, #pkts encrypt: 428, #pkts digest: 428
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 428, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 0A4386BB
current inbound spi : FC693EA2
inbound esp sas:
spi: 0xFC693EA2 (4234755746)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 69632, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3915000/27905)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x0A4386BB (172197563)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 69632, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914974/27905)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 1.1.1.1
access-list crypto extended permit ip host 1.1.1.1 10.128.0.0 255.255.0.0
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.128.0.0/255.255.0.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 1439C8E4
current inbound spi : 0B212EC6
inbound esp sas:
spi: 0x0B212EC6 (186724038)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 69632, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3915000/28001)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x1439C8E4 (339331300)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 69632, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914998/28001)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: vpnmap, seq num: 10, local addr: 1.1.1.1
access-list crypto extended permit ip host 1.1.1.1 10.127.0.0 255.255.0.0
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.127.0.0/255.255.0.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B5AE9ABC
current inbound spi : 91A9B396
inbound esp sas:
spi: 0x91A9B396 (2443817878)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 69632, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3915000/27997)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xB5AE9ABC (3048118972)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 69632, crypto-map: vpnmap
sa timing: remaining key lifetime (kB/sec): (3914998/27997)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
5520 Show
access-list crypto extended permit ip 10.126.0.0 255.255.0.0 10.254.100.0 255.255.255.0
local ident (addr/mask/prot/port): (10.126.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 532, #pkts encrypt: 532, #pkts digest: 532
#pkts decaps: 536, #pkts decrypt: 536, #pkts verify: 536
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 532, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B6024AC4
current inbound spi : B36148A9
inbound esp sas:
spi: 0xB36148A9 (3009497257)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4902912, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373979/28239)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xB6024AC4 (3053603524)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4902912, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373982/28239)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 10, local addr: 2.2.2.2
access-list crypto extended permit ip 10.127.0.0 255.255.0.0 10.254.100.0 255.255.255.0
local ident (addr/mask/prot/port): (10.127.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1794, #pkts decrypt: 1794, #pkts verify: 1794
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: FC693EA2
current inbound spi : 0A4386BB
inbound esp sas:
spi: 0x0A4386BB (172197563)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4902912, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373983/28237)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xFC693EA2 (4234755746)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4902912, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/28229)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 10, local addr: 2.2.2.2
access-list crypto extended permit ip 10.127.0.0 255.255.0.0 host 1.1.1.1
local ident (addr/mask/prot/port): (10.127.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 91A9B396
current inbound spi : B5AE9ABC
inbound esp sas:
spi: 0xB5AE9ABC (3048118972)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4902912, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373998/28288)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000000F
outbound esp sas:
spi: 0x91A9B396 (2443817878)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4902912, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/28288)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 10, local addr: 2.2.2.2
access-list crypto extended permit ip 10.128.0.0 255.255.0.0 host 1.1.1.1
local ident (addr/mask/prot/port): (10.128.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 0B212EC6
current inbound spi : 1439C8E4
inbound esp sas:
spi: 0x1439C8E4 (339331300)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4902912, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373998/28276)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000000F
outbound esp sas:
spi: 0x0B212EC6 (186724038)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4902912, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/28276)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: outside_map, seq num: 10, local addr: 2.2.2.2
access-list crypto extended permit ip 10.128.0.0 255.255.0.0 10.254.100.0 255.255.255.0
local ident (addr/mask/prot/port): (10.128.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 3894, #pkts encrypt: 3894, #pkts digest: 3894
#pkts decaps: 5256, #pkts decrypt: 5256, #pkts verify: 5256
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3894, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 533A5FFA
current inbound spi : 3F8C19E8
inbound esp sas:
spi: 0x3F8C19E8 (1066146280)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4902912, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373595/28142)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x533A5FFA (1396334586)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4902912, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4372216/28141)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 2.2.2.2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.128.35.11/255.255.255.255/0/0)
current_peer: 98.102.220.206, username: Netech
dynamic allocated peer ip: 10.128.35.11
#pkts encaps: 2874, #pkts encrypt: 2874, #pkts digest: 2874
#pkts decaps: 2461, #pkts decrypt: 2461, #pkts verify: 2461
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2874, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/4500, remote crypto endpt.: 98.102.220.206/60725
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 371A79B9
current inbound spi : 7610E15D
inbound esp sas:
spi: 0x7610E15D (1980817757)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 4878336, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 21507
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x371A79B9 (924481977)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 4878336, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 21507
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2012 09:42 AM
The command output is a bit daunting at first but when you look at it carefully there are a couple of key points to notice. Each crypto access list entry in use should form an IPsec SA indicating the local ident (network or host), remote ident, peer and, if traffic is flowing bidirectionally, both encaps and decaps.
If you find all the expected SAs but see only decaps (and no encaps - or vice versa) it typically means there's a downstream issue - i.e. a non-responsive or unreachable host. If you don't see the SAs form, it's usally a VPN configuration issue.
That said, the show command output does not seem to match up with the configurqation file you posted originally. Are you sure the original post was the current running-configuration?
For example, the show command above indicates an IPsec SA in the 5505 based on the configuration line:
access-list crypto extended permit ip 10.254.100.0 255.255.255.0 10.128.0.0 255.255.0.0
That line does not appear in the original posted 5505 config. Plus I don't see any reference to the 10.100.100.0/24 in the original posted config.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2012 09:53 AM
sorry I guess I did not get the latest running config. 10.100 was changed to 10.254.so the show crypto ipsec sa's are more accurate....that is all that changed though so just replacing the running ip 10.100 with 10.254. I was trying not to make this confusing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-01-2012 11:06 AM
OK, so changing original references to 10.100 in favor of 10.254, gives us the following view of the relevant output of your "show crypto ipsec sa" at the 5520 end:
access-list crypto extended permit ip 10.126.0.0 255.255.0.0 10.254.100.0 255.255.255.0
local ident (addr/mask/prot/port): (10.126.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 532, #pkts encrypt: 532, #pkts digest: 532
#pkts decaps: 536, #pkts decrypt: 536, #pkts verify: 536
Crypto map tag: outside_map, seq num: 10, local addr: 2.2.2.2
access-list crypto extended permit ip 10.127.0.0 255.255.0.0 10.254.100.0 255.255.255.0
local ident (addr/mask/prot/port): (10.127.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1794, #pkts decrypt: 1794, #pkts verify: 1794
Crypto map tag: outside_map, seq num: 10, local addr: 2.2.2.2
access-list crypto extended permit ip 10.128.0.0 255.255.0.0 10.254.100.0 255.255.255.0
local ident (addr/mask/prot/port): (10.128.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.254.100.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 3894, #pkts encrypt: 3894, #pkts digest: 3894
#pkts decaps: 5256, #pkts decrypt: 5256, #pkts verify: 5256
Note the encaps for the SA 10.127.0.0/16 to 10.254.100.0/24 is zero while the decaps are non-zero. That's telling us that the 5505-5520 site-site VPN established an IPsec SA (i.e. your crypto maps and everything else matched OK), received and decrypted traffic bound for a host or hosts in the 10.127 network and, apparently, did not receive any replies. If it had, we would expect to see encaps showing return traffic from that represented by the decaps.
Assuming the host you are trying to ping in 10.127.0.0 is alive (You did confirm that, yes? I'd ping it from the ASA 5520 to verify.), I would suspect a problem in routing from the 10.127.0.0/16 and the 10.254.100.0/24 networks. I'd say the second most likely possibility is an access-list (on a router). Can you confirm and/or trace the route from 10.127.0.0's gateway confirming that is is setup up to go to the ASA?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide