Cisco Site-to-Site VPN Tunnel MM_ACTIVE but no Traffic will pass

Posted on 2008-10-15
Medium Priority
Last Modified: 2012-05-05
Hello Everyone.

I am having big trouble, getting a VPN Site-to-Site connection to work.
On the main site there is a ASA5510 and on the remote site is a ASA5505.

Bot ASAs are cennected by ADSL and the router is Bridged so that the ASA does the PPPoE.
The ASAs are also both configured for Cisco VPN Client. which works fine on both sides.
The Tunnel comes up from both sides. wether I initiate the Tunnel from the main site or from the remote site. the State is MM_ACTIVE and everything seems fine.
According to Cisco Packet-Tracer also a normal tcp/80 request gets passed without any "drops".

But still I cann't Ping or Access anything from any site out.
I have attached the Configs from both sides, so hopefully somebody is able to help me out here.
Question by:The_Duque

Expert Comment

ID: 22719710
At first I thought it would be a NAT issue... but your NAT0 seems setup correctly.

I'm not sure about the access-lists on your inside interfaces, tho.
Would you try reply replacing:
access-list INSIDE_IN extended permit icmp MUSFELD_INSIDE any
access-list INSIDE_IN extended permit icmp any any
on the 5510

access-list INSIDE_IN extended permit icmp PANTHEON_INSIDE any
access-list INSIDE_IN extended permit icmp any any
on the 5505

After that bring up the tunnel again and see if you can now ping from one side to the other.

Author Comment

ID: 22719852
Hello Jay.

Did as you told me, on both sides the access-list statements have been changed.
clear crypto isakmp sa
and then tried to build up the tunnel again.

Same Problem, wether tcp/80 on the WEB GUI of the Switch at the /24 nor a ping from one side to the other works. or an RDP session from a client to the server.
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 22722577
I suggest start by removing the acl from the INSIDE interface completely on both sides.

no access-group INSIDE_IN in interface INSIDE

>crypto map IPSEC 10 ipsec-isakmp dynamic IPSEC-VPN
Dynamic map must always have a higher preference - 10 in this case, than the site-to-site 20.
Default for Dynamic map is 65535 and it would look like this:

crypto dynamic-map IPSEC-VPN 10 set transform-set ESP-AES256-SHA
crypto dynamic-map IPSEC-VPN 10 set reverse-route

crypto map IPSEC 20 match address MUS2PAN
crypto map IPSEC 20 set peer
crypto map IPSEC 20 set transform-set ESP-AES-256-SHA
crypto map IPSEC 65535 ipsec-isakmp dynamic IPSEC-VPN


Author Closing Comment

ID: 31506254
Thank you for your help.
and sorry for not answering right away, since I went home early yesterday.
The solution worked fine. and Thanks again for the help.
My knowledge on VPN ain't that great and it was really a bugging thing cos everything seemed fine.

So according to your solution. even when the customer for now does not have a site-to.site VPN tunnel implemented, always put the Dynamic map as last priority.

Well thank you and see you around maybe
Kind regards

Expert Comment

ID: 23257968
lrmoore is a genius. I had the same issue, tunnel would come up fine, just no traffic would pass between sites, only VPN client. After reviewing, I had the Dynamic map at 1 and site to site at 2 on priority. Changed dyn map to 20 and bang, everything worked. Thanks lrmoore, great advice!

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question