GRE IPSEC tunnel between 2 cisco routers

Hello all,
I have configure a GRE tunnel between 2 sites on cisco router,although the GRE tunnel works fine.
once i have configure the IPSEC ...tunnel, the same is not stable .it goes down after sometime & keeps going into MM_State
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst                             src             state                          conn-id status
x.x.x.x.                     x.x.x.x.x    MM_NO_STATE          0 ACTIVE
although the GRE tunnel works fine
Regards
Tejas

Hi David,
it is quite strange but when i started this discussion my issue was that show crypto isakmp sa shows state as "MM_NO_STATE" but now the problem is different
now today morning, i followed some steps
step 1. configure simple GRE tunnel between my 2 locations , able to ping other end tunnel IP with source tunnel IP  all works fine .
step 2.  started conditional debug for peer along with crypto isakmp & cryptp ipsec debug on both locations.
step 3 implement the IPSEC config on both the router, i have attach the same in a separate file
Now the problem is IPSEC negotiation has been successful see output below but my tunnel is down
SITE A
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
114.143.78.X   14.102.64.X    QM_IDLE           1015 ACTIVE
SITE B
#sh crypto isakmp sa | include 14.102.64.X
14.102.64.X    114.143.78.X   QM_IDLE          15532 ACTIVE
Now i am not sure why my tunnel is down ???
Please check the attach notepad
Regards
Tejas

Similar Messages

  • IPSec tunnel between 2 routers

    Hello,
    i'm trying to configure an IPSec VPN tunnel between 2 Cisco routers connected to internet via ATM interface, my router is a 1841 with network address 10.200.36.0, the remote router is a Cisco 877 with network address 192.168.9.0.
    I tryied to follow some tutorials, without success because i still can't ping any IP address on the remote network and also the VPN tunnel is not up!
    May you please help me giving a configuration template, or maybe let me know how to configure it step by step on mine and remote router?
    Thank you very much!
    Regards
    Riccardo    

    Here is an example. x.x.x.x and y.y.y.y are the public IPs of the routers:
    hostname Router1
    crypto isakmp policy 10
      encr aes 256
      auth pre
      group 5
    crypto isakmp key cisco1234 address y.y.y.y
    crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
    crypto ipsec profile TunnelProfile
      set transform ESP-AES256-SHA1
    interface Tunnel0
      ip address 10.255.255.0 255.255.255.254
      tunnel source Dialer 0
      tunnel destination y.y.y.y
      tunnel mode ipsec ipv4
      tunnel protection ipsec profile TunnelProfile
    interface Dialer0
      ip address x.x.x.x
    ip route 192.168.9.0 255.255.255.0 Tunnel0
    hostname Router2
    crypto isakmp policy 10
      encr aes 256
      auth pre
      group 5
    crypto isakmp key cisco1234 address x.x.x.x
    crypto ipsec tranform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac
    crypto ipsec profile TunnelProfile
      set transform ESP-AES256-SHA1
    interface Tunnel0
      ip address 10.255.255.1 255.255.255.254
      tunnel source Dialer 0
      tunnel destination x.x.x.x
      tunnel mode ipsec ipv4
      tunnel protection ipsec profile TunnelProfile
    interface Dialer0
      ip address y.y.y.y
    ip route 10.200.36.0 255.255.255.0 Tunnel0
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

  • The difference of the IEEE802.1x Auth between Cisco Routers and Catalyst switches

    Hello
    I am investigating the difference of the IEEE802.1x Auth between Routers and Switches.
    Basically dot1x auth is availlable on Catalyst Switches. however if I want to check to
    PortBased Multi-Auth , MAC address Auth and any certification Auth with this feature,
    Is it possible to integrate into Cisco Router such as Cisco 891F ?
    In my opinion Cisco891F is also available to use basic IEEE802.1x but if it compares with Catalyst switches such as Cat3560X
    I think there might be any unsupported feature on Cisco 891F.
    I appreciate any information. thank you very much in advance.
    Best Regards,
    Masanobu Hiyoshi

    Many time in interviews asked comaprison between cisco  routers and switches that i was answerless bcoz i dont have much knowledge about that.Can anyone provide me the compariosin sheet of the same.how are the cisco devices differ with each other how much Bandwidth each routres support and Etc...
    Ummmm ... The most common question I get is "what is the difference between a router and a switch".
    However, if you get a question like this, then my impression to this line of questioning are:
    1.  The candidate they are looking for has in-depth knowledge of routers and switches.  And I mean IN-DEPTH!;
    2.  They are not looking for a candidate.  They just want to stroke their ego.  There is not alot of people who can give you the "names and numbers" of routers and switches at a snap of a finger.  And if you do happen to know the answer, then and there, then expect a tougher follow-up question. 

  • IPSEC Tunnel between JUNIPER (SSG 20) and CISCO PIX 501

    I have successfully established the IPSEC tunnel with juniper firewall by using cisco Pix 501 (6.3 version). The problem I am facing, I have network layer connectivity but after time interval I am not able to send the traffic on destination IP address on specific port, but can successfully PING the destination IP. On both firewalls the IPs are permitted for all ports.

    Dear Mr.
    The same problem has occured with me.

  • Not Seeing NAT Translations Across GRE IPSec Tunnel

    Hello,
    I have a P2P GRE over IPSec tunnel beween two 3725s using NAT overload and the Internet as transport. I can reach the backside networks, tunnel endpoints, etc., and I have verified that the traffic is being encrypted. What I am not seeing however are any NAT translations taking place. They must be happeing because my traffic is being routed through the tunnel via the public interfaces. I am assuming that this is a result of the checksum being altered when the translation is done.
    Would I be correct in assuming that I could use something like NAT Transparency or IPSec over TCP/UDP to fix the problem and begin seeing NAT translations?
    Thanks for any help you guys may be able to provide!
    Anthony, CCNA (Network/Voice)

    Can you send over the configurations
    You seem to have a phase 1 issue, it's not negotiating correctly.
    Thanks

  • IPSEC tunnel between adsl router (1841-K9) and Windows ISA

    Hi. Can anybody point me in the direction of how to achieve this?
    Basically weve got a UC500 running CME. We want to send a home worker home with a router and a phone, and allow their router (probably an 1841 with a WIC 1ADSL and K9 pack) to connect to our SBS server with ISA on it and make an IPSEC tunnel.
    Thanks!!!

    This is now showing up with running ssh over this tunnel. I can get the initial connection, but certain commands are not going through.

  • Help getting GRE IPsec tunnel setup

    We are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router.  I am attempting to setup a GRE tunnel over IPsec back to the main office.  The main office consists of a PIX515, a 2821 router, and a 2921 router.  
    There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices.  The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well.   The default route is to use the ASA.   We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515.   
    I have attached a PDF that shows a general overview. 
    Right now I am not able to get the tunnel setup.  It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls.  I will show the output of that command below. 
    Main Office
    The external address     198.40.227.50.
    The loopback address   10.254.10.6
    The tunnel address        10.2.60.1
    Offsite Datacenter
    The external address     198.40.254.178
    The loopback address   10.254.60.6
    The tunnel address        10.2.60.2
    The main office PIX515 Config (Edited – if I am missing something that you need please let me know).
    PIX Version 7.2(2)
    interface Ethernet0
    mac-address 5475.d0ba.5012
    nameif outside
    security-level 0
    ip address 198.40.227.50 255.255.255.240
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.10.10.3 255.255.0.0
    access-list outside_cryptomap_60 extended permit gre host 10.254.10.6 host 10.254.60.6
    access-list outside_cryptomap_60 extended permit ip host 10.254.10.6 host 10.254.60.6
    global (outside) 1 interface
    nat (outside) 1 10.60.0.0 255.255.0.0
    nat (inside) 0 access-list noNat
    route outside 0.0.0.0 0.0.0.0 198.40.227.49 1
    route inside 10.60.0.0 255.255.0.0 10.10.10.1 1
    route inside 10.254.10.6 255.255.255.255 10.10.10.253 1
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
    crypto map cr-lakeavemap 10 match address outside_cryptomap_60
    crypto map cr-lakeavemap 10 set peer 198.40.254.178
    crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
    crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
    crypto map cr-lakeavemap interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400
    crypto isakmp nat-traversal  20
    tunnel-group DefaultRAGroup ipsec-attributes
    isakmp keepalive threshold 10 retry 2
    tunnel-group 198.40.254.178 type ipsec-l2l
    tunnel-group 198.40.254.178 ipsec-attributes
    The offsite datacenter PIX501 config (again edited)
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    access-list crvpn permit gre host 10.254.60.6 host 10.254.10.6
    access-list crvpn permit ip host 10.254.60.6 host 10.254.10.6
    mtu outside 1500
    mtu inside 1500
    ip address outside 198.40.254.178 255.255.255.240
    ip address inside 10.60.10.2 255.255.0.0
    route outside 0.0.0.0 0.0.0.0 198.40.254.177 1
    route inside 10.2.60.2 255.255.255.255 10.60.10.1 1
    route inside 10.254.60.6 255.255.255.255 10.60.10.1 1
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map ClientVPN_dyn_map 10 match address ClientVPN
    crypto dynamic-map ClientVPN_dyn_map 10 set transform-set ESP-3DES-SHA
    crypto map cr-lakeavemap 10 ipsec-isakmp
    crypto map cr-lakeavemap 10 match address crvpn
    crypto map cr-lakeavemap 10 set peer 198.40.227.50
    crypto map cr-lakeavemap 10 set transform-set ESP-3DES-SHA
    crypto map cr-lakeavemap 65535 ipsec-isakmp dynamic ClientVPN_dyn_map
    crypto map cr-lakeavemap client authentication LOCAL
    crypto map cr-lakeavemap interface outside
    isakmp enable outside
    isakmp key ******** address 198.40.227.50 netmask 255.255.255.255
    isakmp identity address
    isakmp keepalive 10
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400
    Output of the “show crypto ipsec sa” command
    From the main office
    Crypto map tag: cr-lakeavemap, seq num: 10, local addr: 198.40.227.50
           access-list outside_cryptomap_60 permit gre host 10.254.10.6 host 10.254.60.6
           local ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
           remote ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
           current_peer: 198.40.254.178
           #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
           #pkts decaps: 18867, #pkts decrypt: 18867, #pkts verify: 18867
           #pkts compressed: 0, #pkts decompressed: 0
           #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
           #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
           #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
           #send errors: 0, #recv errors: 0
           local crypto endpt.: 198.40.227.50, remote crypto endpt.: 198.40.254.178
           path mtu 1500, ipsec overhead 58, media mtu 1500
           current outbound spi: D78E63C9
          inbound esp sas:
          spi: 0x5D63434C (1566786380)
             transform: esp-3des esp-sha-hmac none
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
             sa timing: remaining key lifetime (kB/sec): (4274801/7527)
             IV size: 8 bytes
             replay detection support: Y
        outbound esp sas:
          spi: 0xD78E63C9 (3616433097)
             transform: esp-3des esp-sha-hmac none
             in use settings ={L2L, Tunnel, }
             slot: 0, conn_id: 2, crypto-map: cr-lakeavemap
             sa timing: remaining key lifetime (kB/sec): (4275000/7527)
             IV size: 8 bytes
             replay detection support: Y
    From the offsite datacenter
       local  ident (addr/mask/prot/port): (10.254.60.6/255.255.255.255/47/0)
       remote ident (addr/mask/prot/port): (10.254.10.6/255.255.255.255/47/0)
       current_peer: 198.40.227.50:500
       dynamic allocated peer ip: 0.0.0.0
         PERMIT, flags={origin_is_acl,}
        #pkts encaps: 22360, #pkts encrypt: 22360, #pkts digest 22360
        #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
        #send errors 1156, #recv errors 0
         local crypto endpt.: 198.40.254.178, remote crypto endpt.: 198.40.227.50
         path mtu 1500, ipsec overhead 56, media mtu 1500
         current outbound spi: 5d63434c
         inbound esp sas:
          spi: 0xd78e63c9(3616433097)
            transform: esp-3des esp-sha-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 1, crypto map: cr-lakeavemap
            sa timing: remaining key lifetime (k/sec): (4608000/6604)
            IV size: 8 bytes
            replay detection support: Y
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
          spi: 0x5d63434c(1566786380)
            transform: esp-3des esp-sha-hmac ,
            in use settings ={Tunnel, }
            slot: 0, conn id: 2, crypto map: cr-lakeavemap
            sa timing: remaining key lifetime (k/sec): (4607792/6596)
            IV size: 8 bytes
            replay detection support: Y
         outbound ah sas:
         outbound pcp sas:
    I'm not sure where the issue lies and have beat my head on this for awhile so any help/insight is greatly appreciated.  If there is anything else you'd like to see please let me know. 

    Hi Joe,
    This should be moved to a VPN forum, however, something comes up Really quickly from the problem. Here:
       #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    Thats from the Pix on the Main office, so I think the GRE traffic is not either getting or being encrypted. I am assuming this is the IP address of the router behind the main office 10.254.10.6 is that correct?
    If so, I would put a capture on the Pix to see if the GRE traffic is getting to that PIX on the inside (Unencrupted but Encapsulated on GRE) and make sure that it is not being dropped. To ensure that, you can see the logs on the PIX and see if the firewall is dropping the GRE previous being encrypted.
    Also, a packet tracer can be run to ensure that the Traffic has a VPN phase which would indicate that it is following the correct phases and it would be encrypted.
    Let me know.
    Mike Rojas.

  • GRE IPSec between Cisco 2811 and FortiGate 110C

    Hello,
    Does anybody know if it is possible to configure GRE IPSec tunnel between Cisco 2811 router and FortiGate 110C firewall? I know that FortiGate supports IPSec and GRE tunnels, but maybe somebody succeeded in establishing an IPSec GRE between those routers? Could you also give a link to the appropriate documentation if it is possible?

    Hi,
    You can configure the GRE tunnel on the 2811.
    I'm aware that you can configure sort of a GRE tunnel on the Fortinet as well, but I have not seen a GRE tunnel between a Cisco and other vendor.
    I've only seen GRE tunnels between Cisco devices (however I have not tried it to assure you that it will not work :-()
    Federico.

  • IPSEC Tunnel stops responding

    Hi We have a problem with an IPSec tunnel between our Cisco 1812 and a partners Cisco router. 3 times in the last 2 months the tunnel has stopped responding, in that we can no longer access the server at the partners site or ping it. When we check our router it states the VPN connection is up and tests ok. We have found that cycling the power on our router fixes this issue. Unfortunatly the link is business critical and have little time to diagnose the problem. I can't see anything in the cisco logs relating to the VPN. Was wondering if this could be a problem at our partners end and any advise on how to diagnose this problem next time it happens would be greatly appreciated.
    Stephen Weightman

    Hi Stephen,
    What we are expericing could be related to the lifetime not matching. If the tunnel on our router shows up but it does not work then there is a possibility that it is not up on their end. So this is how we should proceed in this :
    1. When the problem occurs, you need to first check the tunnel status by issuing the command :
    sh cry isak sa
    What we are looking for is the source ip, dest ip, and status.
    2. If it shows up on both the routers then we need to look into the ipsec SAs:
    sh cry ipsec sa peer
    We are looking for the status of the tunnel. The specific informatio to look for is the pkts encaps and decaps, inbound ESP sa and outbound ESP sa. Please be onformed that it has to be done on both the routers.
    3. Another thing to check is when this problem occurs, do we see the pkts encaps increasing on our router.
    4. If we see the tunnel up on our end but down on their end, does the problem go away if we just clear the SAs instead of rebooting the router.
    5. Another thing to look for is the IPSEC SA lifetime in the show run. It should match.
    HTH,
    Please rate if it helps,
    Regards,
    Kamal

  • IPSec Tunnel: Idle timeout

    Friends,
    I gonna configure ipsec tunnel between to sites. I want that tunnel remain up almost all the time. For this if i configure "crypto ipsec security-association idle-time" to its maximum value, is there any issue doing this. Means i want to not, if it has any disadvange. Will it kill my router resources? As you know when ipsec tunnel come up, it drops few packets and also add delay in communication that i want to mitigate. Need your comments please.
    Best Regards
    Rameez

    There are few ways to keep tunnel open
    -Periodic isakmp keepalives
    crypto isakmp keepalive
    -How you suggest increasing ipsec idle-timer and also ike/ipsec lifetime
    isakmp policy 20 lifetime
    crypto ipsec security-association lifetime
    -Running NTP between the 2 routers thru the ipsec tunnel
    I think there are no big issue.. we used this when IP sec between Cisco and non-Cisco device had problem to come up from non-Cisco side so we decided keep tunnel up
    M.

  • Tunnel Traffic going inside IPSEC tunnel

    Hi Everyone,
    Site A  has IP Sec Tunnel to Site B via ASA.
    Now Switch on Site A has GRE tunnel and destination of that tunnel is going inside the IPSEC tunnel.
    In other words IPSEC tunnel between 2 sites is also carrying the GRE Tunnel Traffic.
    Which command i can run on ASA to know if IPSEC is carrying GRE tunnel traffic  or
    What line in ASA config will tell me that this IPSEC is also carrying GRE tunnel traffic?
    Thanks
    MAhesh

    Hi Jouni,
    I can not put config here.
    But here is the info
    sh crypto map shows ASA  outside interface say GGG this interface has ipsec connection to other site.
    also sh conn all | inc GRE shows bunch of output.
    It shows ASA outside inetrface which is to WAN say GGG   8 times and it has say subnet range
    GRE GGG  10.22.31.4  XY 10.x.x.x.x
    GRE GGG  10.22.31.4  XY  10.x.x.x
    GRE GGG  10.22.31.3
    GRE GGG  10.22.31.3
    GRE GGG  10.22.31.3
    GRE GGG  10.22.31.4
    GRE GGG  10.22.31.4
    GRE GGG  10.22.31.4
    Where XY is interface of ASA which is next hop to tunnel destination.
    IP 10.x.x.x  is the tunnel source IP which is loopback on the switch.
    Do you know why it has 2 entries for same ASA  interface XY ?
    Also it has other entries for other ASA  interface.
    So does number of entries tell us number of GRE connections running ?
    Thanks
    MAhesh
    Message was edited by: mahesh parmar

  • Ipsec tunnel c7204vxr to c1941isr

    I have a site ipsec tunnel between a c7204vxr and a c1941isr.  The tunnel is established successfully but I am noticing packet drops on the ingress to the c7204 from the c1941. Specifically,  there is an ssl website that is being accessed that is behind the 1941.  When a node from behind the 7204 is accessing it, 27 packets traverse successfully from the 7204 to the 1941.  On the return, 38 packets are sent from the 1941 and only 21 make it to the 7204(this is determined from tracking acl hit counts placed at inside interfaces of the 1941 and 7204).  The log at the 7204 shows even less packets then that arrived(only two).  The c7204 ios does not have ability for ip inspect log drop-pkt.  The crypto acl is a full ip acl(access-list 105 permit ip <net> <mask> <net> <mask>).  There are no other firewalls or natting happening between the endpoints.  I can ping nodes on both sides of the tunnel successfully with no loss or drops.  A packet capture of the access attempt shows the node behind the 1941 continually sending tls, ssl, and tcp packets to the node behind the 7204 without response.  What other tools could be used to interrogate this?

    Try doing a Embedded packet capture for ESP packets on the Wan interfaces of the routers and do a ping test. Use ICMP packets of specific size and then extract the captures and check for the packets that are a little bigger than the size of packets you have sent. 
    Then you can count them to see if all the packets of those size are being received. If the count is less then there is a ESP packet loss on the ISP path. 

  • IPSEC VPN between two like networks

    Hello --
    For the past few days I have been banging my head against the wall with this problem.
    I have two IP networks that have the same IPs that I need to create an IPSEC tunnel between.
    Here is a crude diagram:
    192.168.1.0/24--[cisco 1920]--Internet--[cisco RV082]--192.168.1.0/24
    I know I need to do some kind of NAT,but from what I've been poking around in the RV082 it doesn't look like it can do it.
    One way I tried to get this to work is like this:
    192.168.1.0/24--[cisco 1920]--Internet--[cisco RV082]-192.168.33.0/24-[Belkin N300 consumer router]--192.168.1.0/24
    But once I changed the Belkin's LAN IP to 192.168.1.1/24 I lost connectivity to it's "WAN" port, I was pinging it from the LAN side of the 1920. (I think it was trying to route traffic over it's LAN port even though it came over it's WAN port)
    Does anyone have some pointers to get me going in the right direction?
    Thanks,
    Greg Smythe                 

    Hi Greg,
    If you have same subnet on both the ends then yes you are right the NAT is the only option. You need to do the NAT on both the devices. As you said that RV can't do that i don't think so you have any othe roption than to change the subnet on one of the end. Which is not an easy option
    Thanks
    Jeet

  • Two separate L2L tunnels between same two ASA

    I have a large MPLS fully meshed network with two main locations, both of which have an ASA with internet access as well as the MPLS access.  I need to be able to provide a backup connection between the two main locations in the event one of the MPLS links to one or the other goes down.
    I am considering using a L2L IPSEC tunnel between the two ASA's but the interesting traffic for the tunnel is different depending on which of the links is down and there fore I would need two different tunnels.  I have my servers and remote desktop servers at one of the main sites and the other main site has another organization attached to it externally that the servers must be able to access.
    Is there a way of creating two separate L2L tunnels between the two ASA's?  Could I perhaps assign two public IP addresses to each of the ASA's and then create the tunnels between different endpoints on each ASA?
    Does anyone have another possible solution to the problem? 
    Gene

    You should be able to do what you want using IP SLA. Please see this excellent blog post which documents one way to accomplish it.
    Hope this helps.

  • AP registration over IPSEC Tunnel(ASA)

    Guys, 
    I have my WAP sitting behind ASA and have ipsec tunnel between ASA and router.below is the topology:-
    WAP>>ASA<<< IPSEC TUNNEL>>> Router<<<WLC
    Recently we have replaced router with ASA 5505 for security reasons and since then WAP is not able to registered to WLC. we have VPN tunnel up and working. Even WAP is able to ping to WLC ip address.
    Do we have any special configuration in my ASA considering my above topology. I can confirm that capwap and lwap ports are opened in asa.
    Please let me know if some one has faced this issue before.

    Hi,
    I hope you have already allowed the below mentioned ports as per your requirement.
    You must enable these ports:
    Enable these UDP ports for LWAPP traffic:
    Data - 12222
    Control - 12223
    Enable these UDP ports for mobility traffic:
    16666 - 16666
    16667 - 16667
    Enable UDP ports 5246 and 5247 for CAPWAP traffic.
    TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])
    These ports are optional (depending on your requirements):
    UDP 69 for TFTP
    TCP 80 and/or 443 for HTTP or HTTPS for GUI access
    TCP 23 and/or 22 for Telnet or SSH for CLI access
    Also if it goes over the IPSec VPN, MTU size  for the path between AP and WLC should be of 1500, if it has the lesser MTU, then communication fails.
    Can you get me your WLC and ASA OS versions?
    Regards
    Karthik

Maybe you are looking for