Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
539
Views
0
Helpful
1
Replies

VPN Tunnel Up but No Traffic

Hitchens
Level 1
Level 1

‎12-12-2020 10:55 PM - edited ‎12-12-2020 10:57 PM

This is a new setup. 

 

Site A: Cisco C891F router uses 192.168.0.0/16

Site B: SonicWALL uses 10.10.0.0/16

 

Both the Cisco router and SonicWALL show VPN tunnel is up. But neither side can ping each others' LAN. SonicWALL packet capture shows packet destined to 192.168.0.0/16 is forwarded through the tunnel. 

 

Cisco router shows it's receiving/decrypting packets from SonicWALL but not sending/encrypting traffic to tunnel. 

 

Here's some basic config on Cisco Router: (For security reasons I replaced WAN ip addresses with X.X.X.X)

 

int g8
crypto map SJMAP

 

crypto map SJMAP 1 ipsec-isakmp
set peer X.X.X.X
set transform-set SJVPN
match address 100
crypto map SJMAP

 

access-list 100 permit ip 192.168.0.0 0.0.255.255 10.10.0.0 0.0.255.255

 

891F-Route#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
x.x.x.x X.x.x.x QM_IDLE 2022 ACTIVE

IPv6 Crypto ISAKMP SA

891F-Router#sh crypto ips sa

interface: GigabitEthernet8
Crypto map tag: SJMAP, local addr x.x.x.x

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 644, #pkts decrypt: 644, #pkts verify: 644
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet8
current outbound spi: 0x437024C0(1131422912)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x8C774935(2356627765)
transform: esp-3des esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000040, crypto map: SJMAP
sa timing: remaining key lifetime (k/sec): (4268006/815)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x437024C0(1131422912)
transform: esp-3des esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 7, flow_id: Onboard VPN:7, sibling_flags 80000040, crypto map: SJMAP
sa timing: remaining key lifetime (k/sec): (4268065/815)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

 

 

 

 

 

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎12-13-2020 10:57 AM

Hi @Hitchens 

Do you have NAT configured on the router? If so, you would need to ensure traffic destined for the VPN (10.10.0.0/16) is not natted.

Is the cisco router the default route for the local network (192.168.0.0/16) or is there another gateway? Ensure that the 192.168.0.0/16 routes traffic via the router.


HTH

0 Helpful
Customers Also Viewed These Support Documents