Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco ASA Site-to-Site VPN. Tunnel is MM_Active, but no traffic passes

Posted on 2012-03-16
4
Medium Priority
?
1,333 Views
Last Modified: 2012-05-22
Hello,

So basically I'm trying to set up a site to site VPN from Aberdeen to Houston with a Cisco ASA 5505 at each end. I have the tunnel active, but I am unable to ping the remote WAN/LAN addresses from each side of the tunnel.

From the ASA's I am able to ping the outside interface of each end of the tunnel, but not the inside interface or remote LAN addresses.

I'm somewhat new to Cisco VPNs and kind of stumped as to what my next steps should be.

Attached is the config for both ends.

*edit* Just for clarification on the HoustonAsa config - the tunnel-group that I'm having problems with is x.x.x.235.
HoustonAsa.txt
AberdeenAsa.txt
0
Comment
Question by:rgeist554
  • 2
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37737176
If you're reaching MM_ACTIVE, this says that the VPN isn't completing its negotiation. The ISAKMP state will go to IDLE once this has happened. As a start, I would permit 500/udp and esp in your outside_access_in ACLs and see if this gets you any further.
0
 

Accepted Solution

by:
rgeist554 earned 0 total points
ID: 37748985
I have permitted UDP and ESP on the outside_access_in and still have not been able to get beyond MM_ACTIVE
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37750643
I think it's time to turn on some ISAKMP debugging to see what's happening with the negotiation.  Can you turn on "debug crypto isakmp" and post a sample of what's showing up in the log?
0
 

Author Closing Comment

by:rgeist554
ID: 37996185
ISAKMP showed me it was not getting to phase 2. Corrected encryption settings on both sides and it was fine.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When replacing some switches recently I started playing with the idea of having admins authenticate with their domain accounts instead of having local users on all switches all over the place. Since I allready had an w2k8R2 NPS running for my acc…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses
Course of the Month12 days, 6 hours left to enroll

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question