My tunnel is active...or is it?

Hi all,

I'm having some issues with my site to site VPN, but I'm not sure whether the issue is my config or not. This is very strange to me, but I'll post up the important part of the configs here. The two endpoints are an 881 and an ASA 5510.

881:
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key ******* address *******
crypto ipsec transform-set TRANSFORMSET esp-3des esp-sha-hmac
crypto map CRYPTOMAP 10 ipsec-isakmp
set peer *******
set transform-set TRANSFORMSET
set pfs group1
match address 110
reverse-route static
crypto map CRYPTOMAP

Extended IP access list 110
10 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255 (943 matches)

show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
******* ******** QM_IDLE 2041 ACTIVE

A route injected from the Site to Site
S 192.168.100.0/24 [1/0] via (FE4's Next hop router), FastEthernet4

Now for the ASA:

crypto map outside-20mb_map1 1 match address outside-20mb_cryptomap
crypto map outside-20mb_map1 1 set pfs
crypto map outside-20mb_map1 1 set peer *******
crypto map outside-20mb_map1 1 set transform-set ESP-3DES-SHA
crypto map outside-20mb_map1 1 set reverse-route
crypto map outside-20mb_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-20mb_map1 interface outside-20mb

crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400

ASA Route to 192.168.1.0
S 192.168.1.0 255.255.255.0 [1/0] via (outside-20mb interface's next hop router), outside-20mb

As for a ping, here's what happens:

881(config)#do ping 192.168.100.200 source vlan1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.200, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
UUUUU
Success rate is 0 percent (0/5)
881(config)#

So I do a debug ip icmp and try again. What do I get?

881#ping 192.168.100.200 source vlan1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.200, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
.UUUU
Success rate is 0 percent (0/5)
881#
Oct 3 05:39:59.859: ICMP: dst (192.168.1.1) net unreachable rcv from 4.59.115.133
Oct 3 05:39:59.903: ICMP: dst (192.168.1.1) net unreachable rcv from 4.59.115.133
Oct 3 05:39:59.947: ICMP: dst (192.168.1.1) net unreachable rcv from 4.59.115.133
Oct 3 05:39:59.991: ICMP: dst (192.168.1.1) net unreachable rcv from 4.59.115.133

Hmm...so I can obviously talk with my peer since I HAVE a tunnel up. But somewhere down the line, the network becomes unreachable. So I then do a traceroute...

881#traceroute 192.168.100.200 source vlan1

Type escape sequence to abort.
Tracing the route to 192.168.100.200

1 (Next Hop) 20 msec 16 msec 16 msec
2 10.201.201.1 16 msec 12 msec 16 msec
3 10.10.42.1 28 msec 28 msec 32 msec
4 t3-3-2-0-10.edge6.Dallas1.Level3.net (4.59.115.133) !N !N !N

As you can see, the ISP this client is using is routing us through a private network, then out to the public network at 4.59.115.133.

I can ping from router to router with no issues. I'm stumped! Can someone guide me in the right direction? I can always call TAC, but I really wanted to see if anyone else has seen anything like this.

TIA!

Find more posts tagged with

Comments

mikej412

Agent6376 wrote: »

crypto map outside-20mb_map1 1 match address outside-20mb_cryptomap

What's outside-20mb_cryptomap?

Agent6376

access-list outside-20mb_cryptomap line 1 extended permit ip 192.168.100.0 255.255.255.0 192.168.1.0 255.255.255.0

Agent6376

Some searching + a great community =

Make sure you exempt all of your interesting traffic from being NAT'd. I've ran into that problem a couple of times.

Thanks to Burbankmarc and Mike.