https://community.cisco.com/t5/network-security/asa-ipsec-tunnel/m-p/3867922#M28238 <P>This could be many reasons, couple of things to check as below :</P> <OL> <LI>Verify the other end has a route outside for the interesting traffic.</LI> <LI>Check that both VPN ACL’s are not mismatched.</LI> <LI>Double check NAT’s to make sure the traffic is not NAT’ing correctly.</LI> <LI>Is what you are trying to ping even responding back? Often what you’re sending traffic to is not able to accept or is not responding to this traffic. I prefer to put a packet capture on the remote end firewall to see if the traffic is coming back into that firewall.</LI> </OL> <P>&nbsp;</P> <P>until we know&nbsp;&nbsp;how you configured your running config / nat / acl.&nbsp; its hard to tell.</P> <P>post configuration of the bot the devices&nbsp; - we asume that tunnel is up and running if so please post also below information.</P> <P>&nbsp;</P> <P>show crypto ipsec sa (from both the side)</P> Wed, 05 Jun 2019 07:30:26 GMT balaji.bandi 2019-06-05T07:30:26Z https://community.cisco.com/t5/network-security/asa-ipsec-tunnel/m-p/3867910#M28237 <P>Hi.. I have been facing weird issue where both end ASAs are encrypting packets for eachother end network subnet but not decrypting. Please suggest what could be the issue.</P><P>&nbsp;</P><P>ASA1 - 192.168.19.0/24</P><P>ASA2 - 192.168.22.0/24</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 05 Jun 2019 07:07:52 GMT https://community.cisco.com/t5/network-security/asa-ipsec-tunnel/m-p/3867910#M28237 Anukalp S 2019-06-05T07:07:52Z https://community.cisco.com/t5/network-security/asa-ipsec-tunnel/m-p/3867922#M28238 <P>This could be many reasons, couple of things to check as below :</P> <OL> <LI>Verify the other end has a route outside for the interesting traffic.</LI> <LI>Check that both VPN ACL’s are not mismatched.</LI> <LI>Double check NAT’s to make sure the traffic is not NAT’ing correctly.</LI> <LI>Is what you are trying to ping even responding back? Often what you’re sending traffic to is not able to accept or is not responding to this traffic. I prefer to put a packet capture on the remote end firewall to see if the traffic is coming back into that firewall.</LI> </OL> <P>&nbsp;</P> <P>until we know&nbsp;&nbsp;how you configured your running config / nat / acl.&nbsp; its hard to tell.</P> <P>post configuration of the bot the devices&nbsp; - we asume that tunnel is up and running if so please post also below information.</P> <P>&nbsp;</P> <P>show crypto ipsec sa (from both the side)</P> Wed, 05 Jun 2019 07:30:26 GMT https://community.cisco.com/t5/network-security/asa-ipsec-tunnel/m-p/3867922#M28238 balaji.bandi 2019-06-05T07:30:26Z https://community.cisco.com/t5/network-security/asa-ipsec-tunnel/m-p/3867934#M28239 Hi Balaji.. Actually ASA-2 has two subnets 192.168.22.0/24 &amp; 192.168.21.0/24 which are in object-group. I am facing issue with subnet 192.168.22.0/24. while 192.168.21.0/24 work fine. Those two are in objectgroup in VPN ACL on both side of ASA. DOnt know why only 192.168.22.0/24 is not reachable. Will share logs. Wed, 05 Jun 2019 07:43:11 GMT https://community.cisco.com/t5/network-security/asa-ipsec-tunnel/m-p/3867934#M28239 Anukalp S 2019-06-05T07:43:11Z https://community.cisco.com/t5/network-security/asa-ipsec-tunnel/m-p/3867946#M28240 Hi Balaji.. Also ASA-2 is running ver 8.2 , could you share No NAT config and ACL to apply into VPN. Wed, 05 Jun 2019 08:09:05 GMT https://community.cisco.com/t5/network-security/asa-ipsec-tunnel/m-p/3867946#M28240 Anukalp S 2019-06-05T08:09:05Z