Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
1
Replies

ASA in between Site-to-Site VPN tunnel

vishnureddy1979
Level 1
Level 1

‎03-03-2016 07:00 AM - edited ‎03-12-2019 12:26 AM

Hello,

 

I have site to site tunnel between 2 ASAs. One ASA is behind the university and other is at our datacenter. University provides us the Internet services and they have the ASA which controls the incoming traffic. We used to have tunnel issues where the stale SAs were inactive at University and SAs got deleted at the datacenter due to inactivity timeout or some other reasons not known. Later found out that ASA9.1.5 behind the University ASA had the bug for not deleting the stale entries. After downgrading the code to 8.4.6 version we are not seeing any issues. And its working as normal. University guy said  he added some ACLS on the outside interface to allow our Datacenter public IP to pass the VPN traffic.

 

https://quickview.cloudapps.cisco.com/quickview/bug/CSCup37416

My Question even before adding those acls the tunnels was working but was not deleting the stale entries. I think after upgrade it became stable. Unversity guys says after adding the ACL it may have stablized the issue.

 

My understanding that even before adding the ACLs the university ASA used to initiate the tunnel always and hence it was working previously or there could be another reason too which i am not aware of.

Could anyone can provide insight into as what was going on?

Thanks in advance.

Labels:
0 Helpful
1 Reply 1

carlguer
Level 1
Level 1

‎03-03-2016 03:46 PM

Hello,

You can check if you have the following sysopt enabled "sysopt connection permit vpn" and this will actually prevent vpn traffic to go through the inspections before getting to the inside networks.

Adding the public ip on the outside interface shouldn't make any difference whether the tunnel works or not, the tunnel will break if there's no traffic flowing through it.

One possible bug that might have been affecting you is this one:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCty91877/?reffering_site=dumpcr

Please rate if you find the information useful.

Regards,

-Javier- 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card