03-25-2014 04:55 PM
I set up a tunnel from an ASA called SALMONARM to a Cisco 1921 called PG-1921.
I bring up the tunnel by sending some "interesting traffic".
From PG-1921, I run show crypto isakmp sa, and an entry for the tunnel is present, with status ACTIVE.
I do the same on SALMONARM, and again the tunnel is present, with status MM_ACTIVE.
So far so good.
I try sending some pings from the inside of the SALMONARM network to the inside of the PG-1921 network.
The pings fail (time out).
I run show crypto ipsec sa peer <PG-1921-WAN-IP> on SALMONARM, and I see 0 encaps and 0 decaps.
This seems to suggest that the pings never leave the SALMONARM ASA.
I believe I've accounted for NAT exemption, and an ACL to allow traffic to the remote network from the internal one.
Here are the configs...
SALMONARM (ASA): http://pastebin.com/raw.php?i=vYDhfe3r
PG-1921 (Cisco 1921): http://pastebin.com/raw.php?i=L6aYhmc9
The tunnel is crypto map PG_TUNNEL_MAP 11 in the SALMONARM config, and crypto map SDM_CMAP_1 5 in the PG-1921 config.
What could I be missing?
Solved! Go to Solution.
03-26-2014 08:23 AM
Do you have a router behind the ASA that could have bad routes in it? Are you pinging from the ASA itself or from a device behind it? Can you add the "management-access inside" command and try to ping from the asa using the "ping inside x.x.x.x" command and see if you get encaps then?
Thanks,
Mike
03-25-2014 08:12 PM
Hi Jon,
The configs look pretty good. I would separate out the ISAKMP profiles so each crypto map entry corresponds to a different ISAKMP profile. Also add the "self-identity address" command under the profile.
Another thing, which I can't tell from your config, is the primary ISP is terminating the VPN tunnel? You need to make sure the egress ISP for the 10.45.0.0/16 traffic from the 1921 is the same ISP that is terminating the VPN tunnel.
Everything else looks fine to me.
Regards,
Mike
03-26-2014 08:15 AM
Hi William.
Yes, the traffic to 10.45.0.0, from the 1921, should be going out the primary ISP interface, the same interface the tunnel should be established over.
Hmm. Sounds like the problem happens before that point however: why is there no encaps on the tunnel at the ASA side when pinging from that side?
03-26-2014 08:23 AM
Do you have a router behind the ASA that could have bad routes in it? Are you pinging from the ASA itself or from a device behind it? Can you add the "management-access inside" command and try to ping from the asa using the "ping inside x.x.x.x" command and see if you get encaps then?
Thanks,
Mike
03-26-2014 08:50 AM
No, there are no routers behind the ASA.
Yes, I am pinging from the ASA itself, in the fashion ping inside 10.70.4.17.
Although, I hadn't run the command management-access inside. So, I ran it and tried to ping again.
And it seems that now I can ping across the tunnel!!
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide