IPSEC VPN L2L tunnel UP but no traffic (unidirectionl unusual behavior)

peter.stenmark · ‎03-20-2011

Hy

I'm getting crazy in the last two weeks, reading thousands of Knowledge base, forum, FAQ, Troubleshooting technotes, etc etc. Need expert help.

I have a Site to Site IPSEC VPN Tunnel created with ASDM wizard.

Cisco ASA-5505

Peer A: x.x.x.x

Lan A: 192.168.0.0 255.255.255.0

Fortinet FortiGate-50b

Peer B: y.y.y.y

Lan B: 192.168.23.0 255.255.255.0

I start traffic from LAN B with a ping (or telnet it doesn't matter) that receive no reply but tunnel goes up fine.

"show isakmp sa" seems ok (says "State : MM_ACTIVE")

"show ipsec sa" seems ok but all #pkts are zero

try ftp, telnet from LAN B to LAN A systems but no one work. "show ipsec sa" all #pkts are zero

As soon as I generate traffic from LAN A to LAN B these works (with tunnel already up) also traffic from LAN B to LAN A works.

Obviously if I end VPN and start tunnel making traffic from LAN A all work fine bidirectionally, LAN A reach LAN B and LAN B reach LAN A.

No msg logged in either two appliance.

Seems a very strange problem because seems not related to Phase1 or Phase2 already established.

Traffic (routing ?) start works only after at least one packet goes from LAN A to LAN B.

No msg logged in either two appliance.

Problems begun in ASA version 8.0(4) ASDM version 6.1(3) and remain/continue after upgrade to ASA Version 8.4(1) ASDM version 6.4(1).

Please excuse my terrible english.

Jennifer Halim · ‎03-20-2011

Problem sounds to be IPSec (ESP packet) is not reaching the ASA when the traffic is initiated from LAN B, hence you are seeing 0 packets on decrypts and encrypts.

Can you please check if you have any firewall, routers, etc that might be blocking the ESP traffic in the direction from Peer B towards Peer A?

NB: btw, your English is absolutely fine.