Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Cisco ASA Site-to-Site VPN. Tunnel is MM_Active, but no traffic passes

Posted on 2012-03-16
4
Medium Priority
?
1,346 Views
Last Modified: 2012-05-22
Hello,

So basically I'm trying to set up a site to site VPN from Aberdeen to Houston with a Cisco ASA 5505 at each end. I have the tunnel active, but I am unable to ping the remote WAN/LAN addresses from each side of the tunnel.

From the ASA's I am able to ping the outside interface of each end of the tunnel, but not the inside interface or remote LAN addresses.

I'm somewhat new to Cisco VPNs and kind of stumped as to what my next steps should be.

Attached is the config for both ends.

*edit* Just for clarification on the HoustonAsa config - the tunnel-group that I'm having problems with is x.x.x.235.
HoustonAsa.txt
AberdeenAsa.txt
0
Comment
Question by:rgeist554
  • 2
  • 2
4 Comments
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37737176
If you're reaching MM_ACTIVE, this says that the VPN isn't completing its negotiation. The ISAKMP state will go to IDLE once this has happened. As a start, I would permit 500/udp and esp in your outside_access_in ACLs and see if this gets you any further.
0
 

Accepted Solution

by:
rgeist554 earned 0 total points
ID: 37748985
I have permitted UDP and ESP on the outside_access_in and still have not been able to get beyond MM_ACTIVE
0
 
LVL 22

Expert Comment

by:Jody Lemoine
ID: 37750643
I think it's time to turn on some ISAKMP debugging to see what's happening with the negotiation.  Can you turn on "debug crypto isakmp" and post a sample of what's showing up in the log?
0
 

Author Closing Comment

by:rgeist554
ID: 37996185
ISAKMP showed me it was not getting to phase 2. Corrected encryption settings on both sides and it was fine.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When replacing some switches recently I started playing with the idea of having admins authenticate with their domain accounts instead of having local users on all switches all over the place. Since I allready had an w2k8R2 NPS running for my acc…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question