Cisco ASA Site to Site VPN up but not passing traffic

I have a VPN between a Cisco ASA and a Checkpoint (I do not have any control of the Checkpoint).
The tunnel comes up as expected when a ping or connection (to tcp 135/5000-5020) is initiated from my local side however there is no response from the remote side.
I have included the config from my ASA below.
In them logs I see the connection built however then after a minute or so it is torn down (SYN timeout)


ASA Version 8.0(5)


names

interface Vlan1
 nameif outside
 security-level 0
 ip address 9.8.7.33 255.255.255.0

interface Vlan30
 nameif inside
 security-level 100
 ip address 10.255.215.33 255.255.255.0

interface Ethernet0/0
 speed 100
 duplex full


interface Ethernet0/7
 switchport access vlan 30
 speed 100
 duplex full



same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object-group network HOST_local
 network-object host 100.50.6.33

object-group network HOST_remote
 network-object host 10.13.33.60

object-group service Group-Service_TCP tcp
 port-object range 5000 5020
 port-object eq 135

object-group icmp-type PING
 icmp-object echo
 icmp-object echo-reply

access-list vpn_1 extended permit ip host 100.50.6.33 host 10.13.33.60 log

access-list acl_insideout extended permit tcp object-group HOST_local object-group HOST_remote object-group Group-Service_TCP log debugging
access-list acl_insideout extended permit icmp object-group HOST_local object-group HOST_remote object-group PING log debugging

access-list acl_Outsidein extended permit tcp object-group HOST_remote object-group HOST_local object-group Group-Service_TCP log debugging
access-list acl_Outsidein extended permit icmp object-group HOST_remote object-group HOST_local object-group PING log debugging
access-list nonat extended permit ip host 100.50.6.33 host 10.13.33.60 log debugging

mtu outside 1500
mtu inside 1500

arp timeout 14400

nat (inside) 0 access-list nonat

access-group acl_Outsidein in interface outside
access-group acl_insideout in interface inside

route outside 0.0.0.0 0.0.0.0 9.8.7.254 1
route inside 100.50.6.33 255.255.255.255 10.255.215.1 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map vpnmap 1 match address vpn_1
crypto map vpnmap 1 set peer 1.2.3.4
crypto map vpnmap 1 set transform-set ESP-3DES-MD5
crypto map vpnmap 1 set security-association lifetime seconds 3600
crypto map vpnmap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2      
 lifetime 86400
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400


tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 ipsec-attributes
 pre-shared-key *

class-map inspection_default
 match default-inspection-traffic


policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp

service-policy global_policy global
prompt hostname context
siggyjamisonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btassureCommented:
Sounds like the other end has a routing issue and isn't encapsulating your return traffic. Can you get in touch with the support provider for that site?
siggyjamisonAuthor Commented:
I have requested they review their configuration.
I normally have control over  both sides however this situation was unusual and we do not have any access to their firewalls to review and they are in a different timezone which makes it more difficult.
Our normal VPN deployment is Cisco/Cisco and I do not have experience with CP VPNs so thought it best to have someone else look at this.
lrmooreCommented:
Try disabling keepalives on the VPN tunnel on the ASA. I don't think the CP supports it.
Agree that there could be an issue on the remote end.
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

geergonCommented:
In fact the tunnel is flapping.

And according to the behavior the problem is related to phase 2.
I have seen a lot problem with Cisco devices and checkpoints.

Please make sure as lrmoore said, that keepalives are disabled.
(Disable the keepalives on the checkpoint side too)

Also make sure that lifetime for phase 1 and phase 2 are the same.

Then verify the interesting traffic. This last step is very important remember that Cisco devices needs to have the traffic at IP layer, never use TCP/UDP in the VPN interesting traffic. (TCP/UDP is not even supported by TAC) The checkpoint is very tricky but make sure that the rules match at some point.
Checkpoint has an option to summarize networks on the traffic proposal or something like that, please make sure that is disable.

Also please post the debugs when the issue occurs.

debug crypto condition peer x.x.x.x
debug crypto isakmp 150
debug crypto ipsec 150

Then
Collect the information

To disable the debugs just do
undebug all
debug crypto condition reset
siggyjamisonAuthor Commented:
I disabled keepalives (still no response from remote end) and the following is the debug output.

client-vpn1# Apr 26 07:01:39 [IKEv1]: IP = 1.2.3.4, IKE Initiator: New Phase 1, Intf inside, IKE Peer 1.2.3.4  local Proxy Address 100.50.6.33, remote Proxy Address 10.13.33.60,  Crypto map (vpnmap)
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing ISAKMP SA payload
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing NAT-Traversal VID ver 02 payload
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing NAT-Traversal VID ver 03 payload
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing Fragmentation VID + extended capabilities payload
Apr 26 07:01:39 [IKEv1]: IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 184
Apr 26 07:01:39 [IKEv1]: IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, processing SA payload
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, Oakley proposal is acceptable
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing ke payload
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing nonce payload
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing Cisco Unity VID payload
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing xauth V6 VID payload
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, Send IOS VID
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, constructing VID payload
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, Send Altiga/Cisco VPN3000/Cisco ASA GW VID
Apr 26 07:01:39 [IKEv1]: IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256
Apr 26 07:01:39 [IKEv1]: IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NONE (0) total length : 184
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, processing ke payload
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, processing ISA_KE payload
Apr 26 07:01:39 [IKEv1 DEBUG]: IP = 1.2.3.4, processing nonce payload
Apr 26 07:01:39 [IKEv1]: IP = 1.2.3.4, Connection landed on tunnel_group 1.2.3.4
Apr 26 07:01:39 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, Generating keys for Initiator...
Apr 26 07:01:39 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing ID payload
Apr 26 07:01:39 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing hash payload
Apr 26 07:01:39 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, Computing hash for ISAKMP
Apr 26 07:01:39 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing dpd vid payload
Apr 26 07:01:39 [IKEv1]: IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + VENDOR (13) + NONE (0) total length : 80
Apr 26 07:01:40 [IKEv1]: IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, processing ID payload
Apr 26 07:01:40 [IKEv1 DECODE]: Group = 1.2.3.4, IP = 1.2.3.4, ID_IPV4_ADDR ID received
1.2.3.4
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, processing hash payload
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, Computing hash for ISAKMP
Apr 26 07:01:40 [IKEv1]: IP = 1.2.3.4, Connection landed on tunnel_group 1.2.3.4
Apr 26 07:01:40 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, Freeing previously allocated memory for authorization-dn-attributes
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, Oakley begin quick mode
Apr 26 07:01:40 [IKEv1 DECODE]: Group = 1.2.3.4, IP = 1.2.3.4, IKE Initiator starting QM: msg id = 0ec58f56
Apr 26 07:01:40 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, PHASE 1 COMPLETED
Apr 26 07:01:40 [IKEv1]: IP = 1.2.3.4, Keep-alive type for this connection: None
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, Starting P1 rekey timer: 64800 seconds.
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, IKE got SPI from key engine: SPI = 0x0e864f7c
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, oakley constucting quick mode
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing blank hash payload
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing IPSec SA payload
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing IPSec nonce payload
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing proxy ID
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, Transmitting Proxy Id:
  Local host:  100.50.6.33  Protocol 0  Port 0
  Remote host: 10.13.33.60  Protocol 0  Port 0
Apr 26 07:01:40 [IKEv1 DECODE]: Group = 1.2.3.4, IP = 1.2.3.4, IKE Initiator sending Initial Contact
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, constructing qm hash payload
Apr 26 07:01:40 [IKEv1 DECODE]: Group = 1.2.3.4, IP = 1.2.3.4, IKE Initiator sending 1st QM pkt: msg id = 0ec58f56
Apr 26 07:01:40 [IKEv1]: IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=ec58f56) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Apr 26 07:01:40 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, Duplicate Phase 1 packet detected.  No last packet to retransmit.
Apr 26 07:01:40 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, Duplicate Phase 1 packet detected.  No last packet to retransmit.
Apr 26 07:01:40 [IKEv1]: IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=ec58f56) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 184
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, processing hash payload
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, processing SA payload
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, processing nonce payload
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, processing ID payload
Apr 26 07:01:40 [IKEv1 DECODE]: Group = 1.2.3.4, IP = 1.2.3.4, ID_IPV4_ADDR ID received
100.50.6.33
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, processing ID payload
Apr 26 07:01:40 [IKEv1 DECODE]: Group = 1.2.3.4, IP = 1.2.3.4, ID_IPV4_ADDR ID received
10.13.33.60
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, processing notify payload
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, loading all IPSEC SAs
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, Generating Quick Mode Key!
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, NP encrypt rule look up for crypto map vpnmap 1 matching ACL vpn_1: returned cs_id=d5d676e0; rule=d5d659f8
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, Generating Quick Mode Key!
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, NP encrypt rule look up for crypto map vpnmap 1 matching ACL vpn_1: returned cs_id=d5d676e0; rule=d5d659f8
Apr 26 07:01:40 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, Security negotiation complete for LAN-to-LAN Group (1.2.3.4)  Initiator, Inbound SPI = 0x0e864f7c, Outbound SPI = 0x6e3527c3
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, oakley constructing final quick mode
Apr 26 07:01:40 [IKEv1 DECODE]: Group = 1.2.3.4, IP = 1.2.3.4, IKE Initiator sending 3rd QM pkt: msg id = 0ec58f56
Apr 26 07:01:40 [IKEv1]: IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=ec58f56) with payloads : HDR + HASH (8) + NONE (0) total length : 72
IPSEC: New embryonic SA created @ 0xD59AF308,
    SCB: 0xD59AF238,
    Direction: outbound
    SPI      : 0x6E3527C3
    Session ID: 0x00005000
    VPIF num  : 0x00000001
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0x6E3527C3
IPSEC: Creating outbound VPN context, SPI 0x6E3527C3
    Flags: 0x00000005
    SA   : 0xD59AF308
    SPI  : 0x6E3527C3
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x8C26261B
    Channel: 0xD3D092D8
IPSEC: Completed outbound VPN context, SPI 0x6E3527C3
    VPN handle: 0x0013074C
IPSEC: New outbound encrypt rule, SPI 0x6E3527C3
    Src addr: 100.50.6.33
    Src mask: 255.255.255.255
    Dst addr: 10.13.33.60
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0x6E3527C3
    Rule ID: 0xD3E1C9D0
IPSEC: New outbound permit rule, SPI 0x6E3527C3
    Src addr: 9.8.7.33
    Src mask: 255.255.255.255
    Dst addr: 1.2.3.4
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x6E3527C3
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0x6E3527C3
    Rule ID: 0xD59B5090
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, IKE got a KEY_ADD msg for SA: SPI = 0x6e3527c3
IPSEC: Completed host IBSA update, SPI 0x0E864F7C
IPSEC: Creating inbound VPN context, SPI 0x0E864F7C
    Flags: 0x00000006
    SA   : 0xD61B72B8
    SPI  : 0x0E864F7C
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x0013074C
    SCB  : 0x8BA9C56B
    Channel: 0xD3D092D8
IPSEC: Completed inbound VPN context, SPI 0x0E864F7C
    VPN handle: 0x0014CA8C
IPSEC: Updating outbound VPN context 0x0013074C, SPI 0x6E3527C3
    Flags: 0x00000005
    SA   : 0xD59AF308
    SPI  : 0x6E3527C3
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x0014CA8C
    SCB  : 0x8C26261B
    Channel: 0xD3D092D8
IPSEC: Completed outbound VPN context, SPI 0x6E3527C3
    VPN handle: 0x0013074C
IPSEC: Completed outbound inner rule, SPI 0x6E3527C3
    Rule ID: 0xD3E1C9D0
IPSEC: Completed outbound outer SPD rule, SPI 0x6E3527C3
    Rule ID: 0xD59B5090
IPSEC: New inbound tunnel flow rule, SPI 0x0E864F7C
    Src addr: 10.13.33.60
    Src mask: 255.255.255.255
    Dst addr: 100.50.6.33
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x0E864F7C
    Rule ID: 0xD5CE3D50
IPSEC: New inbound decrypt rule, SPI 0x0E864F7C
    Src addr: 1.2.3.4
    Src mask: 255.255.255.255
    Dst addr: 9.8.7.33
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x0E864F7C
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x0E864F7C
    Rule ID: 0xD59B7618
IPSEC: New inbound permit rule, SPI 0x0E864F7C
    Src addr: 1.2.3.4
    Src mask: 255.255.255.255
    Dst addr: 9.8.7.33
    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x0E864F7C
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x0E864F7C
    Rule ID: 0xD634B7A0
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, Pitcher: received KEY_UPDATE, spi 0xe864f7c
Apr 26 07:01:40 [IKEv1 DEBUG]: Group = 1.2.3.4, IP = 1.2.3.4, Starting P2 rekey timer: 3060 seconds.
Apr 26 07:01:40 [IKEv1]: Group = 1.2.3.4, IP = 1.2.3.4, PHASE 2 COMPLETED (msgid=0ec58f56)

geergonCommented:
Cool thanks for the debugs.

But It looks like the tunnel gets build without an issue.

The SYN timeout that you see on the logs is related to the unfinished TCP connections, since from the client point of view you see the application waiting for a reply (SYN/ACK).
I am pretty sure that the tunnel never goes down, but if it flapping you please paste the debugs when that occurs.

At this point please build up the tunnel and send to us the output of the report "show cry isec sa" when you attemp to send traffic.
siggyjamisonAuthor Commented:
client-vpn1# sh crypto ipsec sa
interface: outside
    Crypto map tag: vpnmap, seq num: 1, local addr: 9.8.7.33

      access-list vpn_1 extended permit ip host 100.50.6.33 host 10.13.33.60 log
      local ident (addr/mask/prot/port): (100.50.6.33/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.13.33.60/255.255.255.255/0/0)
      current_peer: 1.2.3.4

      #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 9.8.7.33, remote crypto endpt.: 1.2.3.4

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 253B9FE1
      current inbound spi : 1D715995

    inbound esp sas:
      spi: 0x1D715995 (493967765)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8192, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (3915000/3596)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x253B9FE1 (624664545)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8192, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (3914999/3595)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
mahrens007Commented:
usually if the tunnel is built with no problems it is an ACL mismatch on one of the ends.  Make sure you are not natting the traffic for the VPN.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
siggyjamisonAuthor Commented:
Abondoned
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.