L2L VPN Tunnel on ASA 5510

Posted on 2009-12-17
Last Modified: 2012-06-27
I am trying to establish a business-to-business vpn tunnel from my company to another company.  While I can get the tunnel up, something seems to prevent traffic returning to my end.  The other company says that they do see hits on their end ACL for interesting traffic and that I should be able to telnet to certain ports on a specific IP.  When I try to telnet, I get this a timeout and this is what the logs on the ASA show:

6      Dec 17 2009      04:38:57      302014      35031      2915      Teardown TCP connection 62666814 for to Inside: duration 0:00:30 bytes 0 SYN Timeout
6      Dec 17 2009      04:38:27      302013      35031      2915      Built outbound TCP connection 62666814 for ( to Inside: (

SYN Timeout      Force termination after 30 seconds awaiting three-way handshake completion.

I do not have access to see the config on the other end.  All my internal private addresses are NAT'd to a publicly routable address before being forwarded through the tunnel.  I have attached my relevant config.  Anyone have any ideas?


crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400 

access-list B2B_1_NAT extended permit ip
access-list B2B_1_NETWORKS extended permit ip

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 30 match address B2B_1_NETWORKS
crypto map Outside_map 30 set peer
crypto map Outside_map 30 set transform-set ESP-3DES-SHA
crypto map Outside_map 30 set security-association lifetime seconds 28800
crypto map Outside_map interface Outside

nat (inside) 2 access-list B2B_1_NAT
global (outside) 2

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 pre-shared-key *

route Outside 1
route Outside 1

Open in new window

Question by:TakedaT
    LVL 33

    Expert Comment

    First, force a clear of all the tunnels:
    clear crypto isakmp sa
    clear crypto ipsec sa

    Then retest  

    At a glance, I don't see anything in the config, but I can devote more time if the cleared tunnels don't help.
    LVL 10

    Author Comment

    Thanks for the response.  I actually have done that already a few times when testing the past few days.  Also, I cant test this now as it will interrupt services for about 500 employees.  Currently, the 2 route commands:

    route Outside 1
    route Outside 1

    actually point to a different internal router that has a frame-relay connection to the same company, rather than point to my public gateway like above.  The L2L is supposed to replace that.  I need to test between 1am and 4am.  When I do test, I remove the above route commands and add the ones above which makes those services unavailable while I am testing, unless of course the tunnel was to actually work.
    LVL 10

    Accepted Solution

    I was able to track down the problem.  It turns out that my predecessor decided to put an access list on our edge router denying return traffic to the ASA interface. Thanks for looking though.

    Featured Post

    Courses: Start Training Online With Pros, Today

    Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

    Join & Write a Comment

    Suggested Solutions

    I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now