Cisco Site-to-Site VPN Tunnel MM_ACTIVE but no Traffic will pass

Hello Everyone.

I am having big trouble, getting a VPN Site-to-Site connection to work.
On the main site there is a ASA5510 and on the remote site is a ASA5505.

Bot ASAs are cennected by ADSL and the router is Bridged so that the ASA does the PPPoE.
The ASAs are also both configured for Cisco VPN Client. which works fine on both sides.
The Tunnel comes up from both sides. wether I initiate the Tunnel from the main site or from the remote site. the State is MM_ACTIVE and everything seems fine.
According to Cisco Packet-Tracer also a normal tcp/80 request gets passed without any "drops".

But still I cann't Ping or Access anything from any site out.
I have attached the Configs from both sides, so hopefully somebody is able to help me out here.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

At first I thought it would be a NAT issue... but your NAT0 seems setup correctly.

I'm not sure about the access-lists on your inside interfaces, tho.
Would you try reply replacing:
access-list INSIDE_IN extended permit icmp MUSFELD_INSIDE any
access-list INSIDE_IN extended permit icmp any any
on the 5510

access-list INSIDE_IN extended permit icmp PANTHEON_INSIDE any
access-list INSIDE_IN extended permit icmp any any
on the 5505

After that bring up the tunnel again and see if you can now ping from one side to the other.
The_DuqueAuthor Commented:
Hello Jay.

Did as you told me, on both sides the access-list statements have been changed.
clear crypto isakmp sa
and then tried to build up the tunnel again.

Same Problem, wether tcp/80 on the WEB GUI of the Switch at the /24 nor a ping from one side to the other works. or an RDP session from a client to the server.
I suggest start by removing the acl from the INSIDE interface completely on both sides.

no access-group INSIDE_IN in interface INSIDE

>crypto map IPSEC 10 ipsec-isakmp dynamic IPSEC-VPN
Dynamic map must always have a higher preference - 10 in this case, than the site-to-site 20.
Default for Dynamic map is 65535 and it would look like this:

crypto dynamic-map IPSEC-VPN 10 set transform-set ESP-AES256-SHA
crypto dynamic-map IPSEC-VPN 10 set reverse-route

crypto map IPSEC 20 match address MUS2PAN
crypto map IPSEC 20 set peer
crypto map IPSEC 20 set transform-set ESP-AES-256-SHA
crypto map IPSEC 65535 ipsec-isakmp dynamic IPSEC-VPN


Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The_DuqueAuthor Commented:
Thank you for your help.
and sorry for not answering right away, since I went home early yesterday.
The solution worked fine. and Thanks again for the help.
My knowledge on VPN ain't that great and it was really a bugging thing cos everything seemed fine.

So according to your solution. even when the customer for now does not have a VPN tunnel implemented, always put the Dynamic map as last priority.

Well thank you and see you around maybe
Kind regards
lrmoore is a genius. I had the same issue, tunnel would come up fine, just no traffic would pass between sites, only VPN client. After reviewing, I had the Dynamic map at 1 and site to site at 2 on priority. Changed dyn map to 20 and bang, everything worked. Thanks lrmoore, great advice!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.