Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
269
Views
0
Helpful
1
Replies

ASA Lan 2 Lan VPN and IPSLA

Justin Westover
Level 1
Level 1

‎09-29-2015 08:27 PM

I have a customer that has a L2L VPN between their sites established with two ASAs. From time to time they complain about the VPN going down but I see no logs indicating this on the firewall and the tunnel is always up and working fine when i log in. I would like to setup an IPsla on each ASA to monitor the other ASA though the VPN. Is this possible? Currently when I try I can't ping from the local ASA through the tunnel even through I'm sourcing from an interface that is inside of the crypto map statement. I just get the below, thoughts? I added an ACL on inside1-db to allow all traffic (IP) from host 10.23.139.229 to 10.20.159.229 but still I get the same results on a packet tracer. What am i missing or is this just not possible? Obviously hosts on these networks can communicate to one another just fine across the VPN (example: 10.23.139.18 can talk to 10.20.159.10 no problem). 

 

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2a66bf80, priority=1, domain=permit, deny=false
        hits=880163930, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside1-db, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside1-db,outside-acl) source static obj-10.23.139.0 obj-10.23.139.0 destination static ng-vpn_nat_exempt ng-vpn_nat_exempt no-proxy-arp
Additional Information:
NAT divert to egress interface outside-acl
Untranslate 10.20.159.229/0 to 10.20.159.229/0

Phase: 3
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff29401dd0, priority=500, domain=permit, deny=true
        hits=5, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=10.23.139.229, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0,, dscp=0x0
        input_ifc=inside1-db, output_ifc=any

Result:
input-interface: inside1-db
input-status: up
input-line-status: up
output-interface: outside-acl
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Labels:
0 Helpful
1 Reply 1

pjain2
Cisco Employee
Cisco Employee

‎09-29-2015 09:18 PM

please attach the running config of the ASA

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents