I've stripped the "tunnel protection ipsec profile" config from my tunnel interfaces. Still no joy.
The ASA on the DMVPN Hub side is running version 8.2, and the inbound ACL shows no hit counts for any crypto traffic. The test pings come through fine, so I know that the NATs for the DMPVN endpoints are set up fine. I'll have to confirm with the remote ASA admins that there's no other ACLs along the path that is dropping traffic, because I'd have expected at least ESP or GRE to show hit counts. access-list OUTSIDE line 66 extended permit object-group CRYPTO host 222.222.222.222 host 111.111.111.111 0xe62abcbe access-list OUTSIDE line 66 extended permit esp host 222.222.222.222 host 111.111.111.111 (hitcnt=0) 0x628ac306 access-list OUTSIDE line 66 extended permit gre host 222.222.222.222 host 111.111.111.111 (hitcnt=0) 0x1e349ff8 access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 host 111.111.111.111 eq isakmp (hitcnt=0) 0x0a22d45b access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 host 111.111.111.111 eq 4500 (hitcnt=0) 0x8b3259e1 access-list OUTSIDE line 67 extended permit icmp host 222.222.222.222 host 111.111.111.111 echo (hitcnt=5) Do I need to have the private IPs for the DMPVN endpoints exempted from NAT. For instance access-list NAT-EXEMPT ext permit ip host 10.10.1.1 host 10.20.1.1 nat (inside) 0 access-list NAT-EXEMPT On Tue, May 17, 2011 at 11:38 AM, Andrey <[email protected]> wrote: > apparently you do not want to turn off the encryptoin :) > so, a couple of thoughts: > > MM1 messages is not reaching the hub, or reply from hub is not reaching the > spoke, so problems somewhere in the path; > what os version on your ASAs? not 8.3? > I guess your problem is nat or acls on your ASAs > > -- > Best regards, > Andrey > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
