[Webinar] Streamline your web hosting managementRegister Today

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 974
  • Last Modified:

L2L VPN Tunnel on ASA 5510

I am trying to establish a business-to-business vpn tunnel from my company to another company.  While I can get the tunnel up, something seems to prevent traffic returning to my end.  The other company says that they do see hits on their end ACL for interesting traffic and that I should be able to telnet to certain ports on a specific IP.  When I try to telnet, I get this a timeout and this is what the logs on the ASA show:

6      Dec 17 2009      04:38:57      302014      xxx.xxx.141.254      35031      2915      Teardown TCP connection 62666814 for Outside:xxx.xxx.141.254/35031 to Inside: duration 0:00:30 bytes 0 SYN Timeout
6      Dec 17 2009      04:38:27      302013      xxx.xxx.141.254      35031      2915      Built outbound TCP connection 62666814 for Outside:xxx.xxx.141.254/35031 (xxx.xxx.141.254/35031) to Inside: (xxx.xxx.27.122/33472)

SYN Timeout      Force termination after 30 seconds awaiting three-way handshake completion.

I do not have access to see the config on the other end.  All my internal private addresses are NAT'd to a publicly routable address before being forwarded through the tunnel.  I have attached my relevant config.  Anyone have any ideas?


crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400 

access-list B2B_1_NAT extended permit ip xxx.xxx.141.0
access-list B2B_1_NETWORKS extended permit ip xxx.xxx.27.122 xxx.xxx.141.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map Outside_map 30 match address B2B_1_NETWORKS
crypto map Outside_map 30 set peer xxx.xxx.130.208
crypto map Outside_map 30 set transform-set ESP-3DES-SHA
crypto map Outside_map 30 set security-association lifetime seconds 28800
crypto map Outside_map interface Outside

nat (inside) 2 access-list B2B_1_NAT
global (outside) 2 xxx.xxx.27.122

tunnel-group xxx.xxx.130.208 type ipsec-l2l
tunnel-group xxx.xxx.130.208 ipsec-attributes
 pre-shared-key *

route Outside xxx.xxx.130.0 xxx.xxx.27.126 1
route Outside xxx.xxx.141.0 xxx.xxx.27.126 1

Open in new window

  • 2
1 Solution
First, force a clear of all the tunnels:
clear crypto isakmp sa
clear crypto ipsec sa

Then retest  

At a glance, I don't see anything in the config, but I can devote more time if the cleared tunnels don't help.
TakedaTAuthor Commented:
Thanks for the response.  I actually have done that already a few times when testing the past few days.  Also, I cant test this now as it will interrupt services for about 500 employees.  Currently, the 2 route commands:

route Outside xxx.xxx.130.0 xxx.xxx.27.126 1
route Outside xxx.xxx.141.0 xxx.xxx.27.126 1

actually point to a different internal router that has a frame-relay connection to the same company, rather than point to my public gateway like above.  The L2L is supposed to replace that.  I need to test between 1am and 4am.  When I do test, I remove the above route commands and add the ones above which makes those services unavailable while I am testing, unless of course the tunnel was to actually work.
TakedaTAuthor Commented:
I was able to track down the problem.  It turns out that my predecessor decided to put an access list on our edge router denying return traffic to the ASA interface. Thanks for looking though.

Featured Post

[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now