cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
329
Views
0
Helpful
3
Replies

ASA to ASA VPN -encrypted packets 'getting lost' in tunnel

rcullum
Level 1
Level 1

Hi

We have a site-to-site VPN between ASAs. Both on v9.1.6 code. On remote ASA, it also has to do source-destination NAT. We see 'interesting' traffic initiated from remote side results in  ipsec SA. Near end has corresponding SA. Matching SPIs . However, remote end SA shows packets encrypted, none decrypted. Near end ASA shows no packets decrypted/encrypted. So how can I 'lose' packets in my VPN tunnel if both ends have matching SAs/SPIs?

best regards

 

Richard

1 Accepted Solution

Accepted Solutions

Hi

Could be incorrect NAT rules or an access-list denying ESP packets somewhere in the path between the two ASAs.

View solution in original post

3 Replies 3

Hi

Could be incorrect NAT rules or an access-list denying ESP packets somewhere in the path between the two ASAs.

I'd go with Henrik's first suggestion as the most likely cause.

Make sure by using packet-tracer that your result is the NAT policy you want.

Hi

 

Remote end is  routed through a customer firewall into a public ip dmz. They hadn't allowed for bi-directional VPN in their rulebase i.e. either of the VPN peers needed to be able to initiate an encrypted connection. Now sorted.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: