cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1249
Views
0
Helpful
3
Replies

ASA IPSec tunnel

Anukalp S
Level 1
Level 1

Hi.. I have been facing weird issue where both end ASAs are encrypting packets for eachother end network subnet but not decrypting. Please suggest what could be the issue.

 

ASA1 - 192.168.19.0/24

ASA2 - 192.168.22.0/24

 

 

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

This could be many reasons, couple of things to check as below :

  1. Verify the other end has a route outside for the interesting traffic.
  2. Check that both VPN ACL’s are not mismatched.
  3. Double check NAT’s to make sure the traffic is not NAT’ing correctly.
  4. Is what you are trying to ping even responding back? Often what you’re sending traffic to is not able to accept or is not responding to this traffic. I prefer to put a packet capture on the remote end firewall to see if the traffic is coming back into that firewall.

 

until we know  how you configured your running config / nat / acl.  its hard to tell.

post configuration of the bot the devices  - we asume that tunnel is up and running if so please post also below information.

 

show crypto ipsec sa (from both the side)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi Balaji.. Actually ASA-2 has two subnets 192.168.22.0/24 & 192.168.21.0/24 which are in object-group. I am facing issue with subnet 192.168.22.0/24. while 192.168.21.0/24 work fine. Those two are in objectgroup in VPN ACL on both side of ASA. DOnt know why only 192.168.22.0/24 is not reachable. Will share logs.

Hi Balaji.. Also ASA-2 is running ver 8.2 , could you share No NAT config and ACL to apply into VPN.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: