09-18-2015 03:00 AM
Hi
We have a site-to-site VPN between ASAs. Both on v9.1.6 code. On remote ASA, it also has to do source-destination NAT. We see 'interesting' traffic initiated from remote side results in ipsec SA. Near end has corresponding SA. Matching SPIs . However, remote end SA shows packets encrypted, none decrypted. Near end ASA shows no packets decrypted/encrypted. So how can I 'lose' packets in my VPN tunnel if both ends have matching SAs/SPIs?
best regards
Richard
Solved! Go to Solution.
09-19-2015 04:28 AM
Hi
Could be incorrect NAT rules or an access-list denying ESP packets somewhere in the path between the two ASAs.
09-19-2015 04:28 AM
Hi
Could be incorrect NAT rules or an access-list denying ESP packets somewhere in the path between the two ASAs.
09-19-2015 02:39 PM
I'd go with Henrik's first suggestion as the most likely cause.
Make sure by using packet-tracer that your result is the NAT policy you want.
09-25-2015 01:03 AM
Hi
Remote end is routed through a customer firewall into a public ip dmz. They hadn't allowed for bi-directional VPN in their rulebase i.e. either of the VPN peers needed to be able to initiate an encrypted connection. Now sorted.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: