Solved

Cisco ASA Site-to-Site VPN. Tunnel is MM_Active, but no traffic passes

Posted on 2012-03-16
4
1,241 Views
Last Modified: 2012-05-22
Hello,

So basically I'm trying to set up a site to site VPN from Aberdeen to Houston with a Cisco ASA 5505 at each end. I have the tunnel active, but I am unable to ping the remote WAN/LAN addresses from each side of the tunnel.

From the ASA's I am able to ping the outside interface of each end of the tunnel, but not the inside interface or remote LAN addresses.

I'm somewhat new to Cisco VPNs and kind of stumped as to what my next steps should be.

Attached is the config for both ends.

*edit* Just for clarification on the HoustonAsa config - the tunnel-group that I'm having problems with is x.x.x.235.
HoustonAsa.txt
AberdeenAsa.txt
0
Comment
Question by:rgeist554
  • 2
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37737176
If you're reaching MM_ACTIVE, this says that the VPN isn't completing its negotiation. The ISAKMP state will go to IDLE once this has happened. As a start, I would permit 500/udp and esp in your outside_access_in ACLs and see if this gets you any further.
0
 

Accepted Solution

by:
rgeist554 earned 0 total points
ID: 37748985
I have permitted UDP and ESP on the outside_access_in and still have not been able to get beyond MM_ACTIVE
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37750643
I think it's time to turn on some ISAKMP debugging to see what's happening with the negotiation.  Can you turn on "debug crypto isakmp" and post a sample of what's showing up in the log?
0
 

Author Closing Comment

by:rgeist554
ID: 37996185
ISAKMP showed me it was not getting to phase 2. Corrected encryption settings on both sides and it was fine.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now