Cisco Site-to-Site VPN Tunnel MM_ACTIVE but no Traffic will pass

Posted on 2008-10-15
Last Modified: 2012-05-05
Hello Everyone.

I am having big trouble, getting a VPN Site-to-Site connection to work.
On the main site there is a ASA5510 and on the remote site is a ASA5505.

Bot ASAs are cennected by ADSL and the router is Bridged so that the ASA does the PPPoE.
The ASAs are also both configured for Cisco VPN Client. which works fine on both sides.
The Tunnel comes up from both sides. wether I initiate the Tunnel from the main site or from the remote site. the State is MM_ACTIVE and everything seems fine.
According to Cisco Packet-Tracer also a normal tcp/80 request gets passed without any "drops".

But still I cann't Ping or Access anything from any site out.
I have attached the Configs from both sides, so hopefully somebody is able to help me out here.
Question by:The_Duque

Expert Comment

ID: 22719710
At first I thought it would be a NAT issue... but your NAT0 seems setup correctly.

I'm not sure about the access-lists on your inside interfaces, tho.
Would you try reply replacing:
access-list INSIDE_IN extended permit icmp MUSFELD_INSIDE any
access-list INSIDE_IN extended permit icmp any any
on the 5510

access-list INSIDE_IN extended permit icmp PANTHEON_INSIDE any
access-list INSIDE_IN extended permit icmp any any
on the 5505

After that bring up the tunnel again and see if you can now ping from one side to the other.

Author Comment

ID: 22719852
Hello Jay.

Did as you told me, on both sides the access-list statements have been changed.
clear crypto isakmp sa
and then tried to build up the tunnel again.

Same Problem, wether tcp/80 on the WEB GUI of the Switch at the /24 nor a ping from one side to the other works. or an RDP session from a client to the server.
LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 22722577
I suggest start by removing the acl from the INSIDE interface completely on both sides.

no access-group INSIDE_IN in interface INSIDE

>crypto map IPSEC 10 ipsec-isakmp dynamic IPSEC-VPN
Dynamic map must always have a higher preference - 10 in this case, than the site-to-site 20.
Default for Dynamic map is 65535 and it would look like this:

crypto dynamic-map IPSEC-VPN 10 set transform-set ESP-AES256-SHA
crypto dynamic-map IPSEC-VPN 10 set reverse-route

crypto map IPSEC 20 match address MUS2PAN
crypto map IPSEC 20 set peer
crypto map IPSEC 20 set transform-set ESP-AES-256-SHA
crypto map IPSEC 65535 ipsec-isakmp dynamic IPSEC-VPN


Author Closing Comment

ID: 31506254
Thank you for your help.
and sorry for not answering right away, since I went home early yesterday.
The solution worked fine. and Thanks again for the help.
My knowledge on VPN ain't that great and it was really a bugging thing cos everything seemed fine.

So according to your solution. even when the customer for now does not have a VPN tunnel implemented, always put the Dynamic map as last priority.

Well thank you and see you around maybe
Kind regards

Expert Comment

ID: 23257968
lrmoore is a genius. I had the same issue, tunnel would come up fine, just no traffic would pass between sites, only VPN client. After reviewing, I had the Dynamic map at 1 and site to site at 2 on priority. Changed dyn map to 20 and bang, everything worked. Thanks lrmoore, great advice!

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Lync - CUCM Integration Question 2 28
Cannot Delete Sonicwall VPN policy 5 41
DMVPN Spoke Connectivity Issue 1 25
VPN tunnel between Watchguard and OpenVPN? 1 36
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question