Showing results for 
Search instead for 
Did you mean: 

Re: IPSec tunnel connectivity

I'm just waiting for the change to be made Sheraz. Sorry, I don't mean to question you but isn't your ACL the same as the one that's already there? See below:

access-list thorman extended permit ip object-group thorman-local object-group thorman-remote
Rising star

Re: IPSec tunnel connectivity

you are correct.

access-list thorman extended permit ip object-group thorman-local object-group thorman-remote
access-list thorman extended permit ip any4 object-group thorman-remote


the above statement match two rule in one. where ip any4 and object-group thorman.


what you can do if you dont want to apply the new rules. do show access-list and check what number is giving from ASA to these ACLs.

please do not forget to rate.

Re: IPSec tunnel connectivity

Here is the output from the ;show Access List' command. The problem is still we cannot ping from (Thorman) to (Noverton). The confusing thing is I'm seeing a lot of hits against the Thorman ACL but 0 hits against the Noverton ACL.  



access-list thorman line 1 extended permit ip (hitcnt=173550) 0x6d3eca4e

access-list line 2 extended permit ip (hitcnt=0) 0x43b23a2a

Hall of Fame Master

Re: IPSec tunnel connectivity

There are several things I would comment on:

- both access lists for the vpn have a line that permits any to the remote subnet. For Thorman the more specific entry for the local subnet to the remote subnet comes first and has hitcount of 173550 and then the permit any entry has hitcount of 123. So you are trying to send 123 items over the vpn that do not match your real criteria. The same issue exists for Noverton but the order of statements is reversed. So we see hitcount of 55025 for permit any and hitcount of 0 for local subnet to remote subnet. I suggest that you remove both statements that have permit any.

- I see in the config that is the subnet for Noverton. That network also appears as the local network for Beverly and for Sherman. Is that really the case? And if so is it possibly related to the problem?

- I see in the config that the set peer statement in Thorman crypto map has 2 peer addresses. Can you verify which of the peers is active? Could you then switch over to the other peer and see if the behavior changes?