Hi Mark, I just want to verify - you did say that you can ping from tunnel source to tunnel source?
JT On Tue, May 17, 2011 at 1:47 PM, Mark Senteza <[email protected]>wrote: > The problem is most likely some kind of filtering on the remote side (DMVPN > Spoke side). Just for testing purposes, I reversed the configuration and > made the Spoke the Hub, and the former Hub the Spoke. Debugs from the new > Hub show a whole lot more information than previously, but the tunnel still > wont come up. I suspect that the return traffic is being blocked somewhere, > just as previously the tunnel initialization traffic was being blocked. > > I've requested the remote engineers to take a look at the path and confirm > whether or not there's any filtering that is blocking the traffic. > Unfortunately I only have access to part of the network on the remote end > and not the whole infrastructure, and the time zone difference means I wont > have a response to follow this up with for another several hours. Once I > have any more information I'll let you all know. > > Thanks for the input. Much appreciated > > Mark > > > On Tue, May 17, 2011 at 12:41 PM, Andrey <[email protected]> wrote: > >> Mark, >> >> try to configure outbound acl on outside interface of ASA2 with: >> permit gre host 222.222.222.222 host 111.111.111.111 (if crypto profiles >> on routers disabled) >> permit udp host 222.222.222.222 eq 500 host 111.111.111.111 eq 500 (if >> crypto profiles on routers enabled) >> permit ip any any >> >> And watch for matching.. >> >> -- >> Best regards, >> Andrey >> On Wed, May 18, 2011 at 1:29 AM, Andrey <[email protected]> wrote: >> >>> No, you don't, the more so because you have internet in the path. >>> Mark, problem is steel there...somewhere between ASA1 and Gi0/0.603, and >>> likely its on ASA2. >>> >>> -- >>> Best regards, >>> Andrey >>> On Wed, May 18, 2011 at 1:10 AM, Mark Senteza >>> <[email protected]>wrote: >>> >>>> I've stripped the "tunnel protection ipsec profile" config from my >>>> tunnel interfaces. Still no joy. >>>> >>>> The ASA on the DMVPN Hub side is running version 8.2, and the inbound >>>> ACL shows no hit counts for any crypto traffic. The test pings come through >>>> fine, so I know that the NATs for the DMPVN endpoints are set up fine. I'll >>>> have to confirm with the remote ASA admins that there's no other ACLs along >>>> the path that is dropping traffic, because I'd have expected at least ESP >>>> or >>>> GRE to show hit counts. >>>> >>>> access-list OUTSIDE line 66 extended permit object-group CRYPTO host >>>> 222.222.222.222 host 111.111.111.111 0xe62abcbe >>>> access-list OUTSIDE line 66 extended permit esp host 222.222.222.222 >>>> host 111.111.111.111 (hitcnt=0) 0x628ac306 >>>> access-list OUTSIDE line 66 extended permit gre host 222.222.222.222 >>>> host 111.111.111.111 (hitcnt=0) 0x1e349ff8 >>>> access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 >>>> host 111.111.111.111 eq isakmp (hitcnt=0) 0x0a22d45b >>>> access-list OUTSIDE line 66 extended permit udp host 222.222.222.222 >>>> host 111.111.111.111 eq 4500 (hitcnt=0) 0x8b3259e1 >>>> access-list OUTSIDE line 67 extended permit icmp host 222.222.222.222 >>>> host 111.111.111.111 echo (hitcnt=5) >>>> >>>> Do I need to have the private IPs for the DMPVN endpoints exempted from >>>> NAT. For instance >>>> >>>> access-list NAT-EXEMPT ext permit ip host 10.10.1.1 host 10.20.1.1 >>>> >>>> nat (inside) 0 access-list NAT-EXEMPT >>>> >>>> >>>> On Tue, May 17, 2011 at 11:38 AM, Andrey <[email protected]> wrote: >>>> >>>>> apparently you do not want to turn off the encryptoin :) >>>>> so, a couple of thoughts: >>>>> >>>>> MM1 messages is not reaching the hub, or reply from hub is not reaching >>>>> the spoke, so problems somewhere in the path; >>>>> what os version on your ASAs? not 8.3? >>>>> I guess your problem is nat or acls on your ASAs >>>>> >>>>> -- >>>>> Best regards, >>>>> Andrey >>>>> >>>>> >>>> >>> >>> >>> >> >> >> >> > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
