12-12-2023 12:07 PM
Hi Guys ,
I have a sort of a confusing issue so basically I'm trying to connect an ASA 5506-X(remote site ) to our DC via site to site VPN when connecting the device i notice that the VPN tunnel is up and from our mgmt vm's i can ping the remote asa fw how ever i cannot ping any of my equipment's that are connected it .
What's really confusing for me is even tho we work with basic settings (no NAT..) and every time deploying a new site we use the same config almost and it always works perfectly i started to think that maybe the asa is faulty since it's a used one but not sure.
What do u guys think ? I'm getting hard time troubleshooting this issue .
the full config is in the attachment
12-12-2023 12:11 PM
Do this command
clear crypto ipsec sa inactive
Then check again
MHM
12-12-2023 12:26 PM
on the remote FW right, I'll definetly try it
appreciated
12-12-2023 12:39 PM
@rahaliix131005 if the tunnel is up, are the encap|decap counters increasing or not? Run "show crypto ipsec sa" on both sides and confirm, provide the output for review.
If the counters are increasing on one side but not the other, then that usually indicates a NAT or a routing issue.
12-12-2023 12:46 PM
I'm aware of the command u mentioned before but can you please explain the encap|decap counters ? , and for routing we just use static routes , nothing fancy . we always work with the same config same FW but this one is just not working properly pretty weird
12-12-2023 12:52 PM
@rahaliix131005 for example: If the decaps counter is increasing then encrypted traffic is received, but if the encaps counter does not increase then the return traffic is not encrypted. This could either because traffic behind the ASA is not routing to the ASA (and vice versa) or more commonly there is no NAT exemption rule, so the return traffic is unintentially translated behind the firewall's outside interface. Another common issue is there is a local host based firewall on the client devices and traffic is dropped (hence no return traffic).
12-12-2023 02:00 PM
You have only provided configuration for one side of the site to site VPN setup which makes it hard to see if there is anything missing or faulty in the configuration.
Assuming that all configuration on the DC side of the VPN is correct (No-NAT, crypto ACL, routing, etc.) then the most likely issue is routing / default gateway configuration on the endpoints or the network in between that you are trying to reach.
Another thing you could do is a packet tracer on the ASA5506 with a source of an inside / local IP and destination remote IP you are testing from to verify that the traffic truly is being sent into the tunnel. Run the packet-tracer twice and post the results here.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide