Most Common L2L and Remote Access IPSec VPN
Troubleshooting Solutions
Document ID: 81824
Introduction
Prerequisites
Requirements
Components Used
Conventions
Problem − An IPSec VPN Configuration Does Not Work
Solutions
Enable NAT−Traversal (#1 RA VPN Issue)
Test Connectivity Properly
Enable ISAKMP
Clear Old or Existing Security Associations (Tunnels)
Enable ISAKMP Keepalives
Re−Enter Pre−Shared−Keys
Remove and Replace Crypto Maps
Verify that sysopt Commands are Present (PIX/ASA Only)
Verify that ACLs are Correct
Verify that Routing is Correct
Verify Crypto Map Sequence Numbers
Disable XAUTH for L2L Peers
Problem − Remote Access Users Connect to VPN and Have No Other Access to
Resources
Solutions
Split−tunnel
Hairpinning
Local LAN Access
NetPro Discussion Forums − Featured Conversations
Related Information
Introduction
This document contains the most common solutions to IPSec VPN problems. These solutions come directly
from service requests that the TAC have solved. Many of these solutions can be implemented prior to the
in−depth troubleshooting of an IPSec VPN connection. As a result, this document is presented as a checklist
of common procedures to try before you begin to troubleshoot a connection and call the TAC.
Note: Even though the configuration examples in this document are for use on routers and security
appliances, nearly all of these concepts are also applicable to the the VPN 3000 concentrator.
Note: You can look up any command used in this document with the Command Lookup Tool (registered
customers only).
Warning: Many of the solutions presented in this document can lead to a temporary loss of all IPSec
VPN connectivity on a device. It is recommended that these solutions be implemented with caution and in
Cisco − Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions
accordance with your change control policy.
Prerequisites
Requirements
Cisco recommends that you have knowledge of