ASA5505 - SA520W traffic won't pass through IPSec VPN

JGranade · ‎01-08-2011

We've been struggling to get 3 SA520W's to make an IPSec Site-to-Site tunnel. After searching the web, we finally found a post about the Racoon firewall and this issue suggesting turning off Perfect Forward Secrecy. After turning off PFS on the SA and the ASAsetups, we've got all the tunnels to come up. However, we can't get any traffic to pass between the two networks.

We're still learning the SA's. We're still learning the SA units. How can we see the traffic coming through the tunnel? When we go to View Logs, nothing shows up on the SA but I'm not sure how to enable logging for that traffic. Ultimately, we'd like to be able to control the traffic through the VPN tunnel in the firewall settings so we can restrict certain protocols and source/destinations. If I could do that, then I'd know where to enable logging to see that traffic but the firewall doesn't seem to identify the VPN networks as a source or destination.

What's the best steps to track down why the traffic isn't passing through the IPSec tunnels we have established?

Thanks,

John

sveinskogen · ‎01-11-2011

You can see traffic counters in the status->vpn-status->IPSec Status page.

As for passing the traffic via the tunnels, have you set the ip ranges correctly in the VPN Policy page (i.e. remote: 192.168.2.0/24 and local 192.168.4.0/24, not "any any"), and similarly via the ACLs on the ASA (the ASA runs an IOS derivate, does it not)?

//Svein