Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
535
Views
4
Helpful
6
Replies

ASA Reachable but the equipment's connected to it are not

rahaliix131005
Level 1
Level 1

‎12-12-2023 12:07 PM

Hi Guys ,

I have a sort of a confusing issue so basically I'm trying to connect an ASA 5506-X(remote site ) to our DC via site to site VPN when connecting the device i notice that the VPN tunnel is up and from our mgmt vm's i can ping the remote asa fw how ever i cannot ping any of my equipment's that are connected  it .

What's really confusing for me is even tho we work with basic settings (no NAT..) and every time deploying a new site we use the same config almost and it always works perfectly i started to think that maybe the asa is faulty since it's a used one but not sure.

What do u guys think ? I'm getting hard time troubleshooting this issue .

the full config is in the attachment

Preview file
10 KB
0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎12-12-2023 12:11 PM

Do this command 

clear crypto ipsec sa inactive

Then check again 

MHM

 

rahaliix131005
Level 1
Level 1
In response to MHM Cisco World

‎12-12-2023 12:26 PM

on the remote FW right, I'll definetly try it 

appreciated

Rob Ingram
VIP
VIP

‎12-12-2023 12:39 PM

@rahaliix131005 if the tunnel is up, are the encap|decap counters increasing or not? Run "show crypto ipsec sa" on both sides and confirm, provide the output for review.

If the counters are increasing on one side but not the other, then that usually indicates a NAT or a routing issue.

rahaliix131005
Level 1
Level 1
In response to Rob Ingram

‎12-12-2023 12:46 PM

I'm aware of the command u mentioned before but can you please explain the encap|decap counters ? , and for routing we just use static routes , nothing fancy . we always work with the same config same FW but this one is just not working properly  pretty weird

0 Helpful

Rob Ingram
VIP
VIP
In response to rahaliix131005

‎12-12-2023 12:52 PM

@rahaliix131005 for example: If the decaps counter is increasing then encrypted traffic is received, but if the encaps counter does not increase then the return traffic is not encrypted. This could either because traffic behind the ASA is not routing to the ASA (and vice versa) or more commonly there is no NAT exemption rule, so the return traffic is unintentially translated behind the firewall's outside interface. Another common issue is there is a local host based firewall on the client devices and traffic is dropped (hence no return traffic).

RobIngram_0-1702414139383.png

 

Marius Gunnerud
VIP
VIP

‎12-12-2023 02:00 PM

You have only provided configuration for one side of the site to site VPN setup which makes it hard to see if there is anything missing or faulty in the configuration.

Assuming that all configuration on the DC side of the VPN is correct (No-NAT, crypto ACL, routing, etc.) then the most likely issue is routing / default gateway configuration on the endpoints or the network in between that you are trying to reach.

Another thing you could do is a packet tracer on the ASA5506 with a source of an inside / local IP and destination remote IP you are testing from to verify that the traffic truly is being sent into the tunnel. Run the packet-tracer twice and post the results here.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card