Solved

Cisco ASA Site-to-Site VPN. Tunnel is MM_Active, but no traffic passes

Posted on 2012-03-16
4
1,277 Views
Last Modified: 2012-05-22
Hello,

So basically I'm trying to set up a site to site VPN from Aberdeen to Houston with a Cisco ASA 5505 at each end. I have the tunnel active, but I am unable to ping the remote WAN/LAN addresses from each side of the tunnel.

From the ASA's I am able to ping the outside interface of each end of the tunnel, but not the inside interface or remote LAN addresses.

I'm somewhat new to Cisco VPNs and kind of stumped as to what my next steps should be.

Attached is the config for both ends.

*edit* Just for clarification on the HoustonAsa config - the tunnel-group that I'm having problems with is x.x.x.235.
HoustonAsa.txt
AberdeenAsa.txt
0
Comment
Question by:rgeist554
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37737176
If you're reaching MM_ACTIVE, this says that the VPN isn't completing its negotiation. The ISAKMP state will go to IDLE once this has happened. As a start, I would permit 500/udp and esp in your outside_access_in ACLs and see if this gets you any further.
0
 

Accepted Solution

by:
rgeist554 earned 0 total points
ID: 37748985
I have permitted UDP and ESP on the outside_access_in and still have not been able to get beyond MM_ACTIVE
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37750643
I think it's time to turn on some ISAKMP debugging to see what's happening with the negotiation.  Can you turn on "debug crypto isakmp" and post a sample of what's showing up in the log?
0
 

Author Closing Comment

by:rgeist554
ID: 37996185
ISAKMP showed me it was not getting to phase 2. Corrected encryption settings on both sides and it was fine.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Random Terminal Server disconnections. 2 230
ASA Tunnel 18 49
port redirection on cisco asa 5520 5 28
Palo Alto Networks Security Rule Additions via CLI - multiple objects 3 30
As dyndns has reduced the capabilities of the free service, I looked around for other free providers of Dynamic DNS service. After testing several I decided to move my DNS hosting to Hurricane Electric as then domains that require dynamic hostnam…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question