Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Cisco Site-to-Site VPN Tunnel MM_ACTIVE but no Traffic will pass

Posted on 2008-10-15
Medium Priority
Last Modified: 2012-05-05
Hello Everyone.

I am having big trouble, getting a VPN Site-to-Site connection to work.
On the main site there is a ASA5510 and on the remote site is a ASA5505.

Bot ASAs are cennected by ADSL and the router is Bridged so that the ASA does the PPPoE.
The ASAs are also both configured for Cisco VPN Client. which works fine on both sides.
The Tunnel comes up from both sides. wether I initiate the Tunnel from the main site or from the remote site. the State is MM_ACTIVE and everything seems fine.
According to Cisco Packet-Tracer also a normal tcp/80 request gets passed without any "drops".

But still I cann't Ping or Access anything from any site out.
I have attached the Configs from both sides, so hopefully somebody is able to help me out here.
Question by:The_Duque
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 22719710
At first I thought it would be a NAT issue... but your NAT0 seems setup correctly.

I'm not sure about the access-lists on your inside interfaces, tho.
Would you try reply replacing:
access-list INSIDE_IN extended permit icmp MUSFELD_INSIDE any
access-list INSIDE_IN extended permit icmp any any
on the 5510

access-list INSIDE_IN extended permit icmp PANTHEON_INSIDE any
access-list INSIDE_IN extended permit icmp any any
on the 5505

After that bring up the tunnel again and see if you can now ping from one side to the other.

Author Comment

ID: 22719852
Hello Jay.

Did as you told me, on both sides the access-list statements have been changed.
clear crypto isakmp sa
and then tried to build up the tunnel again.

Same Problem, wether tcp/80 on the WEB GUI of the Switch at the /24 nor a ping from one side to the other works. or an RDP session from a client to the server.
LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 22722577
I suggest start by removing the acl from the INSIDE interface completely on both sides.

no access-group INSIDE_IN in interface INSIDE

>crypto map IPSEC 10 ipsec-isakmp dynamic IPSEC-VPN
Dynamic map must always have a higher preference - 10 in this case, than the site-to-site 20.
Default for Dynamic map is 65535 and it would look like this:

crypto dynamic-map IPSEC-VPN 10 set transform-set ESP-AES256-SHA
crypto dynamic-map IPSEC-VPN 10 set reverse-route

crypto map IPSEC 20 match address MUS2PAN
crypto map IPSEC 20 set peer
crypto map IPSEC 20 set transform-set ESP-AES-256-SHA
crypto map IPSEC 65535 ipsec-isakmp dynamic IPSEC-VPN


Author Closing Comment

ID: 31506254
Thank you for your help.
and sorry for not answering right away, since I went home early yesterday.
The solution worked fine. and Thanks again for the help.
My knowledge on VPN ain't that great and it was really a bugging thing cos everything seemed fine.

So according to your solution. even when the customer for now does not have a site-to.site VPN tunnel implemented, always put the Dynamic map as last priority.

Well thank you and see you around maybe
Kind regards

Expert Comment

ID: 23257968
lrmoore is a genius. I had the same issue, tunnel would come up fine, just no traffic would pass between sites, only VPN client. After reviewing, I had the Dynamic map at 1 and site to site at 2 on priority. Changed dyn map to 20 and bang, everything worked. Thanks lrmoore, great advice!

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question