Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
922
Views
0
Helpful
6
Replies

IPsec VPN some subnet unable to access to MY

fri
Level 1
Level 1

‎09-08-2019 02:02 AM - edited ‎09-08-2019 05:20 AM

Hi All,

 

We have build tunnel to HQ and branch, only some segment on HQ is unable to access application at branch office, but ping is able to ping.

ASA model & version : 5516-X & 9.12(2)

 

When HQ access to branch our asa get below message.

the asa discarded a tcp packet that has no associated connection in the asa connection table.

Deny TCP (no connection) from 10.251.72.224/53212 to 10.97.108.21/1521 flags RST-ACK on interface outside.

 

Labels:
Preview file
24 KB
0 Helpful
6 Replies 6

Dennis Mink
VIP Alumni
VIP Alumni

‎09-08-2019 03:25 AM

Mate. We are no claire voyants. Where are these ip addr. In your configs. You need to give more info than that.
Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

fri
Level 1
Level 1
In response to Dennis Mink

‎09-08-2019 05:22 AM

Hi Sorry,

 

Just added in attach file , 153.139.225.121 is to HQ VPN which from HQ remote lan only 10.251.72.xx/23 unable to access to our LAN network current ASA config.

 

Please advise.

 

0 Helpful

fri
Level 1
Level 1
In response to Dennis Mink

‎09-09-2019 08:29 AM

Hi Dennis,

I add in the config file , please advise

 

 

0 Helpful

bhargavdesai
Spotlight
Spotlight
In response to fri

‎09-10-2019 01:00 AM

Can you run the packet tracer (with Detail key word) command from both end and share the output. 

 

 

HTH

0 Helpful

fri
Level 1
Level 1
In response to bhargavdesai

‎09-10-2019 01:36 AM

Hi ,

 

As attached file,

10.251.72.xx is remote site IP

10.97.108.xx is our local IP.

 

Preview file
10 KB
Preview file
5 KB
0 Helpful

bhargavdesai
Spotlight
Spotlight
In response to fri

‎09-10-2019 03:01 AM

The packet tracer from remote site syntax is fine?

 

input is OUTSIDE

 

 

packet-tracer input outside tcp 10.251.72.22 1521

 

I would say that it should be inside 

 

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card