10-12-2009 07:00 AM
I have a RV042 running firmware 1.3.12.19-tm connected to the internet
LAN subnet is 192.168.10.0/255.255.255.0
On the otherside I have a ASA5510 also connected to the internet
The ASA5510 LAN subnets are split into 3 subnets
1) 192.168.60.0/255.255.255.0
2) 192.168.61.0/255.255.255.0
3) 192.168.62.0/255.255.255.0
I have setup a VPN connection between the routers as follows
On RV042
Local Group Setup
Local Security Gateway Type: IP Only
IP Address: rv042 external ip address
Local Security Group Type: Subnet
IP Address: 192.168.10.1
Subnet Mask: 255.255.255.0
Remote Group Setup
Remote Security Gateway Type: IP Only
IP Address: ASA5510 external IP address
Remote Security Group Type: Sbnet
IP address: 192.168.60.0
Subnet Mask: 255.255.252.0
On the ASA5510 I have setup the vpn allowing access to the subnet 192.168.60.0/22 to 192.168.10.0/24
The VPN gets established and traffic from the rv042 10.0 subnet works fine with the 61.0 and 62.0 subnet of the ASA5510.
For some reason traffic on the 60.0 subnet refuses to work.
Using tcpdump on a machine on the 60.0 subnet I can see that a ping sent from 10.x is successfully received on the 60.x machine across the VPN and a reply sent but the reply is not received on the 10.x machine
I have checked using the packet tracer of the ASA and the packet shows as being allowed across the ASA.
I have checked the access control lists on the ASA and that seems to be fine.
I have also viewed the logs on the ASA and can see that the ping is received and the teardown message also being logged successfully.
The Rv042 unfortunately doesnt show any signs of the packets.
I enabled the syslog of the Rv042 and installed the wallwatcher program to view the syslogs.
I enabled all checkboxes on the Log page of the Rv042 to enable logging of all traffic.
The Rv042 doesnt seem to log VPN traffic at all !!
That makes it really diffcult to figure out if the problem is local to the Rv042 or is on the ASA5510 side.
The fact that the VPN gets established successfully and I am able to ping the 61.0 and 62.0 subnets from 10.0 makes it even more strange why the 60.0 subnet refuses to work.
I also tried setting up 3 seperate VPN links from the (RV042) 192.168.10.0/24 subnet to (ASA) 192.168.60.0/24, 192.168.61.0/24, 192.168.62.0/24.
I get the exact same symptoms. Only the 60.0 subnet refuses to work!!!
I have been breaking my head on this for the last few days and would appreciate any advice or hints on debugging this further.
/sanjay
10-12-2009 08:02 AM
Yeah i have to agree, that is very strange. Is it just pings that are being blocked or can you rdp or anything to see if you can connect from the 60.x network.
10-12-2009 08:17 AM
It is all traffic. I just used ping as a test case.
Also the block is just in one direction.
I setup tcpdump on two linux boxes on each side of the VPN.
when I ping from 10.x to 60.x the 60.x machine receives the ping
when I ping from 60.x to 10.x the 10.x machine does NOT receive the ping.
Unfortunately the rv042 logging doesnt show if the Rv042 has received the ping either since it doesnt seem to log VPN traffic at all.
/sanjay
10-12-2009 08:32 AM
I don't know, are the settings the same as from the other subnets to the rv042 that are working. It seems something within that subnet on the ASA, since the tunnels between the other two subnets are working perfectly. I would look into that.
10-26-2009 04:36 AM
Resolved the problem by reloading the ASA5510. !!!
I used to think cisco boxes did not need to be restarted. It looks like sometimes they do.
/sanjay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide