cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
334
Views
0
Helpful
1
Replies

VPN showing MM_ACTIVE on both sides (5505 connecting to 5510) but cannot ping or access any hosts

starnetryank
Level 1
Level 1

I have an ASA 5505 and a 5510 connected in an l2l vpn.

I am unable to ping hosts from either side.

I do have icmp allowed on both sides.

 

Here is my config on the 5505:

crypto map outside 10 match address XXX
crypto map outside 10 set peer xxx.xxx.xxx.xxx
crypto map outside 10 set transform-set ESP-3DES-SHA

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *****
 isakmp keepalive threshold 30 retry 2

 

And on the 5510:

crypto map outside 5 match address XXX
crypto map outside 5 set peer xxx.xxx.xxx.xxx
crypto map outside 5 set transform-set ESP-3DES-SHA

 

Here is my output of sh ipsec sa on the initiator side:

interface: outside
    Crypto map tag: outside, seq num: 5, local addr: xxx.xxx.xxx.xxx

      access-list Starnet extended permit ip xxx.xxx.xxx.xxx 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.0
      local ident (addr/mask/prot/port): (xxx.xxx.xxx.xxx/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (xxx.xxx.xxx.xxx/255.255.255.0/0/0)
      current_peer: xxx.xxx.xxx.xxx

      #pkts encaps: 137, #pkts encrypt: 137, #pkts digest: 137
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 137, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: xxx.xxx.xxx.xxx

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 7706CD01
      current inbound spi : CE605279

    inbound esp sas:
      spi: 0xCE605279 (3462419065)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 98324480, crypto-map: outside
         sa timing: remaining key lifetime (kB/sec): (4374000/27939)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x7706CD01 (1996934401)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 98324480, crypto-map: outside
         sa timing: remaining key lifetime (kB/sec): (4373985/27939)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

 

 

 

 

 

1 Reply 1

The IPSec SAs on the initiator side shows that you send traffic through the tunnel, but you don't get anything back. So you have to troubleshoot on the other side:

  1. Is icmp configured to be statefull or is echo-reply allowed on the inside ACL?
  2. Is your NAT-Exemption in place?
  3. Does the answer-packet get back to the ASA? The internal routing could be wrong also.