11-05-2014 10:30 AM
I have an ASA 5505 and a 5510 connected in an l2l vpn.
I am unable to ping hosts from either side.
I do have icmp allowed on both sides.
Here is my config on the 5505:
crypto map outside 10 match address XXX
crypto map outside 10 set peer xxx.xxx.xxx.xxx
crypto map outside 10 set transform-set ESP-3DES-SHA
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 30 retry 2
And on the 5510:
crypto map outside 5 match address XXX
crypto map outside 5 set peer xxx.xxx.xxx.xxx
crypto map outside 5 set transform-set ESP-3DES-SHA
Here is my output of sh ipsec sa on the initiator side:
interface: outside
Crypto map tag: outside, seq num: 5, local addr: xxx.xxx.xxx.xxx
access-list Starnet extended permit ip xxx.xxx.xxx.xxx 255.255.255.0 xxx.xxx.xxx.xxx 255.255.255.0
local ident (addr/mask/prot/port): (xxx.xxx.xxx.xxx/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (xxx.xxx.xxx.xxx/255.255.255.0/0/0)
current_peer: xxx.xxx.xxx.xxx
#pkts encaps: 137, #pkts encrypt: 137, #pkts digest: 137
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 137, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: xxx.xxx.xxx.xxx
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7706CD01
current inbound spi : CE605279
inbound esp sas:
spi: 0xCE605279 (3462419065)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 98324480, crypto-map: outside
sa timing: remaining key lifetime (kB/sec): (4374000/27939)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x7706CD01 (1996934401)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 98324480, crypto-map: outside
sa timing: remaining key lifetime (kB/sec): (4373985/27939)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
11-05-2014 12:24 PM
The IPSec SAs on the initiator side shows that you send traffic through the tunnel, but you don't get anything back. So you have to troubleshoot on the other side:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide