Solved

Cisco Site-to-Site VPN Tunnel MM_ACTIVE but no Traffic will pass

Posted on 2008-10-15
5
6,865 Views
Last Modified: 2012-05-05
Hello Everyone.

I am having big trouble, getting a VPN Site-to-Site connection to work.
On the main site there is a ASA5510 and on the remote site is a ASA5505.

Bot ASAs are cennected by ADSL and the router is Bridged so that the ASA does the PPPoE.
The ASAs are also both configured for Cisco VPN Client. which works fine on both sides.
The Tunnel comes up from both sides. wether I initiate the Tunnel from the main site or from the remote site. the State is MM_ACTIVE and everything seems fine.
According to Cisco Packet-Tracer also a normal tcp/80 request gets passed without any "drops".

But still I cann't Ping or Access anything from any site out.
I have attached the Configs from both sides, so hopefully somebody is able to help me out here.
ASA5505.txt
ASA5510.txt
0
Comment
Question by:The_Duque
5 Comments
 
LVL 8

Expert Comment

by:Jay_Gridley
Comment Utility
At first I thought it would be a NAT issue... but your NAT0 seems setup correctly.

I'm not sure about the access-lists on your inside interfaces, tho.
Would you try reply replacing:
access-list INSIDE_IN extended permit icmp MUSFELD_INSIDE 255.255.255.0 any
with
access-list INSIDE_IN extended permit icmp any any
on the 5510

and
access-list INSIDE_IN extended permit icmp PANTHEON_INSIDE 255.255.255.0 any
with
access-list INSIDE_IN extended permit icmp any any
on the 5505

After that bring up the tunnel again and see if you can now ping from one side to the other.
0
 

Author Comment

by:The_Duque
Comment Utility
Hello Jay.

Did as you told me, on both sides the access-list statements have been changed.
clear crypto isakmp sa
and then tried to build up the tunnel again.

Same Problem, wether tcp/80 on the WEB GUI of the Switch at the 192.168.100.0 /24 nor a ping from one side to the other works. or an RDP session from a client to the server.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
Comment Utility
I suggest start by removing the acl from the INSIDE interface completely on both sides.

no access-group INSIDE_IN in interface INSIDE


>crypto map IPSEC 10 ipsec-isakmp dynamic IPSEC-VPN
Dynamic map must always have a higher preference - 10 in this case, than the site-to-site 20.
Default for Dynamic map is 65535 and it would look like this:

crypto dynamic-map IPSEC-VPN 10 set transform-set ESP-AES256-SHA
crypto dynamic-map IPSEC-VPN 10 set reverse-route

crypto map IPSEC 20 match address MUS2PAN
crypto map IPSEC 20 set peer 1.1.1.1
crypto map IPSEC 20 set transform-set ESP-AES-256-SHA
crypto map IPSEC 65535 ipsec-isakmp dynamic IPSEC-VPN


0
 

Author Closing Comment

by:The_Duque
Comment Utility
Thank you for your help.
and sorry for not answering right away, since I went home early yesterday.
The solution worked fine. and Thanks again for the help.
My knowledge on VPN ain't that great and it was really a bugging thing cos everything seemed fine.

So according to your solution. even when the customer for now does not have a site-to.site VPN tunnel implemented, always put the Dynamic map as last priority.

Well thank you and see you around maybe
Kind regards
Alexs
0
 
LVL 2

Expert Comment

by:tdiops
Comment Utility
lrmoore is a genius. I had the same issue, tunnel would come up fine, just no traffic would pass between sites, only VPN client. After reviewing, I had the Dynamic map at 1 and site to site at 2 on priority. Changed dyn map to 20 and bang, everything worked. Thanks lrmoore, great advice!
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now