Cisco :: No Traffic Gre Tunnel 2901
Nov 6, 2012I try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks. [code]
View 7 RepliesI try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks. [code]
View 7 RepliesI try to make a gre tunnel with 2 cisco routers 2901, ping responds between tunnel ip's ends, but I don't have pings from the pc's inside the networks.
[code]....
I'm getting the following error in the log of a 2901:
%CERM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.
I'm a bit confused by this since there is only 1 active SA at the time.Here is some more info:
2901#sh crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA
IPSec-Session : 768 active, 2800 max, 0 failed
I've been looking to see if its possible to create a GRE tunnel between a Cisco 2901 with 3 adsl WIC cards and a Cisco ASA.The Cisco 2901 is at our remote office and we have 3 adsl lines for resillience as they tend to go down alot.The Cisco ASA is at our Head Office sitting behind our ISP's managed router.
The desired end result would be to have three GRE tunnels, 1 for each DSL line terminating on the ASA at head office and use EIGRP routing protocol to move traffic across to another tunnel should one fail, and encapsulate all of that with IPSEC.
i have a 7201 router with NPE-G2. i have a design which i have the option to send all the traffic through a GRE tunnel or a L2TPV3 tunnel.which method is more CPU consumption ?
View 1 Replies View Related2901 router that I just installed. I replaced a 1760 router with a new 2901 router and all seems to be working but for some reason the txload on interface g0/0 and interface multilink1 show 255/255 even though there is no traffic going over to this router. I have dual routers at this location and at the moment I have all traffic going over to my other router a 2821.
reliability 255/255, txload 255/255, rxload 1/255
Environment :linksys wrt300n v1.1 which can have ddwrt-mega. Willing to tunnel all lan's outbound traffic through an ssh tunnel.
View 2 Replies View RelatedWe have approx 40 branch offices - all of which are connected to a single core site over VPN Tunnels using various gear. At one particular site, we are having issues with the tunnel dropping sporadically throughout the day - some days it happens 10 times, some days it happens none. This just randomly started happening two weeks ago, without any changes taking place. Since it started happening, I have upgraded the code to latest versions, but still the issue persists. This particular site has a 2901 and connects back to a 2951.
Below is the output from:
debug crypto ipsec
debug crypto isakmp
[code].....
Currently I have users that connect with the Cisco VPN client to our PIX 515e. Our corporate network is also directly connected to our partners network, sharing common address space. I want to be able allow our VPN users to connect to certain resources on their network. Since they already have routing for our address space, can I allow the VPN to only NAT traffic to certain destination addresses with a local IP address on our network? That way the partner's network does not have to change any routing since they would see the source address as a local IP on our network.
View 1 Replies View Relatedi have 2 routers, 2821 and 2811. they are connected via GRE over IPsec, and all of the traffic from 2821 is being routed to 2811 with a default route to its tunnel interface. 2821 needs to access internet through 2811 valid ip address, my question is that how should i nat the traffic on 2811 so that 2821 can access the internet?
View 1 Replies View Relatedi am curently troubleshooting a ipsec l2l VPN between
1. ASA 7.2(4) to SSG-140
2. Cisco 871W to SSG-140
In both scenario's the tunnel is nicely established, and traffic goes into the tunnel, but nothing comes out. All encap's, but no decap's
It seems like a routing issue, but we can not find anything on both sites.
So maybe i m running into a (known) issue between cisco VPN equipment and the SSG-140?
Could it be a proxy-id issue? Cause they configure stuff like 10.1.1.0/24 and i configure 10.1.1.0 0.0.0.255
is it possible to tunnel all TCP traffic to UDP under port 137?
View 1 Replies View RelatedWe just migrated from a single 5510 to a dual (failover) 5520, It seems that everything is working except the remote VPN. We can establish a tunnel and authenticate as local users, (going to LDAP when all is working) but no traffic is passing. I know I am overlooking something but cant see it. [code]
View 12 Replies View RelatedI have set up an ipsec tunnel between a Cisco ASA 5505 and a Fortigate 80c. The tunnel is set up as I execute pings from inside behind ASA to inside behind FG, however I cannot get connectivity to hosts behind the Fortigate (traffic is allowed through policies configured on the FG). What I noticed in packet tracer is that traffic is dropped at the step 'Vpn lookup' To troubleshoot I have configured a test ('fake') vpn connection through the vpn wizard and get the same result in packet tracer. I run 8.4 software on the ASA and this is part of the relevant config.
View 1 Replies View RelatedI have set a tunnel between Cisco pix 6.3 and Cisco Router 7200. Show Isakmp sa showing below detail on Pix
Total : 1
Embryonic : 0
dst src state pending created
xx6.x71.x29.x68 x2.1x7.52.1x1 QM_IDLE 0 0
Is tunnel is UP ? Traffice is not going throgh the tunnel . why ?
I have a two RV042 VPN Router, I successfully connected the IPSEC tunnel. I cannot route Traffic in the tunnel. See the diagram.
MAIN Network
10.252.x.x
-------------->
FIREWALL
a.a.a.1
INTERNET
RV042a WANa <<------------------------------->> WANb RV042b
a.a.a.2 b.b.b.b
In this manner the network of b.b.b.b wil connect to the Main Network 10.252.x.x, unfortunately I can't pass traffic to RV042b going to RV042a. Everytime I trace the route, the traffic goes outside the Internet not to RV042a.
I've a asa 5510 on the main site and different ASA 5505 on secundary sites for VPN tunneling between the sites. The problem is that the tunnels are acomplished but no traffic is going over them. What am i doing wrong? For the moment there is a ASA 5505 on the main site managing the tunnels but I want the 5510 to take over the job.
View 5 Replies View RelatedI need to route traffic to DMZ (and internal) from the branch office thru the IPSec tunnel. How do I manage that with my Cisco 881?
View 1 Replies View RelatedI'm station overseas and it's really hard to access certain websites and servie like Netflix or ESPN. What I had created was GRE tunnel from my Home "A" to my current location "B" and route my traffic from point A to B using 2 cisco 1700 routers ( and It was working great) but now I can't use GRE nomore. I still have PIX and ASA on both sides and I was trying to do that over VPN tunnel but I can't ping VPN tunnel gateway( basicly what was next hoop in GRE) on the other end ( which is the main problem why I can't route traffic to remote site). I was wondering if I can still do the same thing over VPN tunnel that I did with GRE tunnel.
View 1 Replies View RelatedI'm trying to setup a VPN between an RV042 V3 and an RV082 V2 router. They get connected but no traffic gets through the tunnel. I tried with and without firewall,DPD, Keepalive, forward secrecy but nothing worked. What should I do? I don't want to throw out the V2 routers. V3 to V3 connects fine.
View 1 Replies View RelatedTwo 5505 ASA's for a customer main site and a local office. I have the tunnel up. But I'm unable to pass traffic across it.
Main Site:
ASA Version 7.2(4)
!
hostname Town
enable password iNbSyJZ1ffmb9kn1 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
[code]....
We've created an ipsec VPN tunnel between our ASA5510 (8.3) and a Pix firewall (not sure of the specific version, etc).
The tunnel works fine, except for timing at times (traffic only goes through a few times a day), and a wierd problem with all traffic being allowed even though I'm only allowing specific ports (SFTP, SQL Server 1433) from a network at the client site to a specific server in our Data center.
I was surprised that I could RDP into the server, as well as telnet any other port exposed on this server from the client site. Now as I write this i realize that I did not check whether any of our other data center servers can be reached via the tunnel.....
Not having set up many VPN tunnels before using ASA (only Checkpoint - Checkpoint before this), I'm wondering whether i need to include another rule in the VPN tunnel cryptomap to deny all other traffic from their network to our network, or whether there's a global config I need to add a rule to.
I am moderately conversant in the command line, but because of my lack of Cisco VPN tunnel experience I did use the ASDM site-to-site VPN tunnel wizard to set the tunnel up. Not sure if there were any defaults i would have to override using that method.
I have a Site to Site IPSEC VPN Tunnel created with ASDM wizard.
Cisco ASA-5505
Peer A: x.x.x.x
Lan A: 192.168.0.0 255.255.255.0
Fortinet FortiGate-50b
Peer B: y.y.y.y
Lan B: 192.168.23.0 255.255.255.0
I start traffic from LAN B with a ping (or telnet it doesn't matter) that receive no reply but tunnel goes up fine.
"show isakmp sa" seems ok (says "State : MM_ACTIVE")
"show ipsec sa" seems ok but all #pkts are zero
try ftp, telnet from LAN B to LAN A systems but no one work. "show ipsec sa" all #pkts are zero As soon as I generate traffic from LAN A to LAN B these works (with tunnel already up) also traffic from LAN B to LAN A works.Obviously if I end VPN and start tunnel making traffic from LAN A all work fine bidirectionally, LAN A reach LAN B and LAN B reach LAN A.No msg logged in either two appliance.
Seems a very strange problem because seems not related to Phase1 or Phase2 already established.Traffic (routing ?) start works only after at least one packet goes from LAN A to LAN B.No msg logged in either two appliance.Problems begun in ASA version 8.0(4) ASDM version 6.1(3) and remain/continue after upgrade to ASA Version 8.4(1) ASDM version 6.4(1).
We have 7 remote offices and 10 tower locations that utilize IPsec tunnels back to our HQ. We now want to force all traffic including web surfing through the tunnels. What would be the easiest way to acomplish this? I have tried utilizing the crypto map policy to do this, but was unable to acomplish this.
Each of our office locationss utilize a Cisco 2811 router and the tower locations utilize a Cisco 881.
we have two offices connected with a lan-to-lan ipsec tunnel. My question is about one of the sites.
At the site a Cisco 870-series router is used for connection to the internet and setting up the tunnel. Two subnets exist, 172.22.x.x and 10.30.x.x.
The router itself has an address in the 172.22.x.x-range. Traffic from the 10.30.x.x subnet needs to be able to reach:
- A host in our network over at the other office (also 172.22.x.x but other range). NATting is needed otherwise it won't traverse the tunnel because the lan-to-lan has only 172.22.x.x in its properties. - The internet. NATting is also needed otherwise it won't be routable on the internet. The packets need to go out of the router directly, not through the tunnel.
How do I accomplish this?
Here is a snippet from the config:
interface ATM0.1 point-to-point
ip address <public ip address>
ip nat outside
ip virtual-reassembly
pvc 8/35
class-vc Office(code)
We are currently experiencing a problem on an IP SEC VPN tunnel that has all of us here completely stumped. We are hoping that one of you experts out there will be able to assist. Here are some basic details:
NETWORKS
An IPSEC site to site tunnel has been built between the two sites on different networks.
PIX 515E - MAIN SITE
Network 172.16.0.0/24
CISCO 1841 - REMOTE SITE
Network 172.16.99.0/24
ISSUE
All traffic flows over the VPN from the 172.16.99.0 network in the direction of the Pix, such as RDP, SIP etc. Pings will go in both directions across the tunnel. Other than the pings most traffic will NOT flow over the tunnel from the 172.16.0.0 network on the pix to the 172.16.99.0 network on the 1841. It would appear that something on the 1841 is blocking traffic coming in over the tunnel from the 172.16.0.0 network as we can not get a wire shark capture on a PC on the 172.16.99.0 network, other than the ICMP traces. Usually this is an access list problem but we have checked and double checked the configuration and can't see anything.
TROUBLESHOOTING SO FAR
1. Have tried inserting various access list changes to the tunnel on the 1841 to make specific reference to the 172.16.0.0 network.
2. Have tried various NAT entries.
3. Have removed and then recreated the VPN tunnel from a fresh start.
4. Have made the MTU 1400 on the inside interfaces on the Pix and the 1841.
The tunnel is fully up at all times and as we say can ping in both directions.
I got a stange vpn problem, just added a new vpn tunnel to our ASA5510 and then the users report that the traffic through the tunnel is very slow, when I try it myself I get a speed like 50kb/sec to the internal server.If I use our regular tunnel or any other tunnel the speed is just fine. I´ve added the new tunnel in the same way as the other tunnels, that is thorugh ASDM vpn wizzard.
View 2 Replies View RelatedI have a site to site tunnel between two 5520 ASAs. Tunnel is up but when I try to talk to the other side, the implicit deny on the inside interface of the local ASA blocks the traffic. When I ping, the tunnel comes up but in the logs it says it is blocking icmp from inside to outside. I have tried the sys opt connection permit-vpn but it is not working. The traffic is from 5 specific machines within the local sub net that I put in a network object group called Celerra_Replication.
I want to them to be able to talk to 5 machines on the far end of the tunnel in a seperate sub net. They are in a net wrok object group called GP_Celerra_Replication The ACLs I created for this appear to be created correctly allowing IP from Celerra_replication to GP_Celerra_Replication and the opposite on the other side.
I have a number of sites in China, they have decent inter-country connectivity but poor connectivity when going overseas.
We have a single site in China witha dedicated 1:1 leased line that has good conectivity both inside and outside of China.
All the sites in China have ASA5505 firewalls
One of our Citrix farms is hosted in the UK and although the main site with the leased line is fine accessing the farm the other sites are not. I would like to try and tunnel just the citrix connectivity via a VPN to the China head office then use their connection to get out to the farm.
how to tunnel all traffic but not just specific traffic over the VPN.
I have a two ASA 5520's and I want to be able to see or monitor the traffic between each tunnel. I am using external addresses but for the sake of this question I will use the following: 1.1.1.1 to 2.2.2.2 . How can I montior the traffic?
View 3 Replies View Relatedwe have a L2L-VPN-Tunnel beetween our Headquarter (ASA5520 with Network 10.100.1.0) and a branch office (Cisco1841 with network 10.100.10.0 ). This works fine for years, but now we wish to change the configuration so that ALL traffic from the branch office goes over the vpn-tunnel. My question: How I have to change the crypto acl to reach this. Below the relevant parts of the branch route.
View 6 Replies View Relatedwe've buyed a WRVS4400N to create a IPSEC VPN tunnel to our client in order to access some applications.
After a while trying to configure the router, we have archieved it and the VPN tunnel is up. We can see the tunnel up from here and from client's side as well.
Our client supposendly have created the tunnel in order to access a list of specific IPs in the range 10.113.x.x, but if we try to access this IPs via telnet whe cannot obtain any response.
Making a tracert, we obtain...
C:UsersHuexxx>tracert 10.113.56.177
Traza a 10.113.56.177 sobre caminos de 30 saltos como máximo.
1 1 ms 1 ms 1 ms 192.168.0.1
2 * * * Tiempo de espera agotado para esta solicitud.
3 * * ^C
... and therefor the client doesn't receive any packet at its firewall.
I've tried to establish a static route for 10.0.0.0 255.0.0.0 to their remote gateway, but I'm unable to add any entry to static routing list... The router tries to do something, but afterall I cannot see the new entry...
What can I do to route the traffic through the tunnel?
We have a 100 Mbps WAN circuit, we have configured an IPsec tunnel between ASA 5520 and Cisco 3845 Router for our DR site replication via Veeam Backup and Replication, it was working fine before, when we established the 3DES tunnel the traffic for certain subnets is dropped after an hour and it stops the replication, although tunnel remains up and we can access the other subnets, as soon as we clear the crypto SA and ISAKMP sessions on the firewall the traffic starts flowing again and then after an hour the traffic is dropped again.So far the testing and differnet configurations we tried are as under.
Tried with a different MTU size both on firewall and ESXi servers but nothing happened.Their is no QOS configuration.Checked the utilization on both ends its Noram although their are subsequent 100% spikes on Cisco 3845 but on average it remians at 30-40%.