+ Reply to Thread
Results 1 to 4 of 4
  1. Senior Member
    Join Date
    Apr 2009
    Location
    New Orleans, LA
    Posts
    199

    Certifications
    MCSE, MCITP:EA, CCNA, CCNP
    #1

    Default My tunnel is active...or is it?

    Hi all,

    I'm having some issues with my site to site VPN, but I'm not sure whether the issue is my config or not. This is very strange to me, but I'll post up the important part of the configs here. The two endpoints are an 881 and an ASA 5510.

    881:
    crypto isakmp policy 10
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key ******* address *******
    crypto ipsec transform-set TRANSFORMSET esp-3des esp-sha-hmac
    crypto map CRYPTOMAP 10 ipsec-isakmp
    set peer *******
    set transform-set TRANSFORMSET
    set pfs group1
    match address 110
    reverse-route static
    crypto map CRYPTOMAP


    Extended IP access list 110
    10 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 (943 matches)


    show cry isa sa
    IPv4 Crypto ISAKMP SA
    dst src state conn-id status
    ******* ******** QM_IDLE 2041 ACTIVE


    A route injected from the Site to Site
    S 192.168.100.0/24 [1/0] via (FE4's Next hop router), FastEthernet4



    Now for the ASA:

    crypto map outside-20mb_map1 1 match address outside-20mb_cryptomap
    crypto map outside-20mb_map1 1 set pfs
    crypto map outside-20mb_map1 1 set peer *******
    crypto map outside-20mb_map1 1 set transform-set ESP-3DES-SHA
    crypto map outside-20mb_map1 1 set reverse-route
    crypto map outside-20mb_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside-20mb_map1 interface outside-20mb

    crypto isakmp policy 1
    authentication pre-share
    encryption des
    hash md5
    group 2
    lifetime 86400

    ASA Route to 192.168.1.0
    S 192.168.1.0 255.255.255.0 [1/0] via (outside-20mb interface's next hop router), outside-20mb

    As for a ping, here's what happens:

    881(config)#do ping 192.168.100.200 source vlan1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.100.200, timeout is 2 seconds:
    Packet sent with a source address of 192.168.1.1
    UUUUU
    Success rate is 0 percent (0/5)
    881(config)#

    So I do a debug ip icmp and try again. What do I get?

    881#ping 192.168.100.200 source vlan1

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.100.200, timeout is 2 seconds:
    Packet sent with a source address of 192.168.1.1
    .UUUU
    Success rate is 0 percent (0/5)
    881#
    Oct 3 05:39:59.859: ICMP: dst (192.168.1.1) net unreachable rcv from 4.59.115.133
    Oct 3 05:39:59.903: ICMP: dst (192.168.1.1) net unreachable rcv from 4.59.115.133
    Oct 3 05:39:59.947: ICMP: dst (192.168.1.1) net unreachable rcv from 4.59.115.133
    Oct 3 05:39:59.991: ICMP: dst (192.168.1.1) net unreachable rcv from 4.59.115.133

    Hmm...so I can obviously talk with my peer since I HAVE a tunnel up. But somewhere down the line, the network becomes unreachable. So I then do a traceroute...

    881#traceroute 192.168.100.200 source vlan1

    Type escape sequence to abort.
    Tracing the route to 192.168.100.200

    1 (Next Hop) 20 msec 16 msec 16 msec
    2 10.201.201.1 16 msec 12 msec 16 msec
    3 10.10.42.1 28 msec 28 msec 32 msec
    4 t3-3-2-0-10.edge6.Dallas1.Level3.net (4.59.115.133) !N !N !N

    As you can see, the ISP this client is using is routing us through a private network, then out to the public network at 4.59.115.133.

    I can ping from router to router with no issues. I'm stumped! Can someone guide me in the right direction? I can always call TAC, but I really wanted to see if anyone else has seen anything like this.

    TIA!
    Reply With Quote Quote  

  2. SS -->
  3. Cisco Moderator mikej412's Avatar
    Join Date
    May 2005
    Location
    Chicago
    Posts
    10,190

    Certifications
    CCNP CCIP CCSP CCVP CCDP CCDA CCNA CS-CIPSS CS-CIPTDS CS-CIPTOS CS-CIPCSS CS-CFWS CS-CVPNS CS-CISecS ISSP 4013 4011
    #2
    Quote Originally Posted by Agent6376 View Post
    crypto map outside-20mb_map1 1 match address outside-20mb_cryptomap
    What's outside-20mb_cryptomap?
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Apr 2009
    Location
    New Orleans, LA
    Posts
    199

    Certifications
    MCSE, MCITP:EA, CCNA, CCNP
    #3
    access-list outside-20mb_cryptomap line 1 extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Apr 2009
    Location
    New Orleans, LA
    Posts
    199

    Certifications
    MCSE, MCITP:EA, CCNA, CCNP
    #4
    Some searching + a great community =

    Make sure you exempt all of your interesting traffic from being NAT'd. I've ran into that problem a couple of times.
    Thanks to Burbankmarc and Mike.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks