cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11520
Views
12
Helpful
10
Replies

Site-to-Site VPN

rustamovea
Level 1
Level 1

Hi, I  have created site-to-site ipsec vpn connection between two cisco asa firewalls.


Connection established successfully, but I can’t ping from one local network to another.
If I go to Sessions I can see on one side Bytes RX 0 , Bytes TX 200 (and increasing)
On another side Bytes RX 0 , Bytes TX 0. It seems that traffic goes and doesn’t come back.


What could be the problem? At what should I look?

Regards,

1 Accepted Solution

Accepted Solutions

if this kind of problem was resolved by restarting the FW, then the only thing which can happen is that the IPSEC SA were out of sync,

One side will keep on sending the traffic and other side will keep on rejecting it because it has no SA.

The other thing I could imagine is one of those bugs where ASP table goes out of synch after multiple rekeys and there is no way but to reload to FW to overcome the situation.

The ASP problem is rare now in newer codes.

View solution in original post

10 Replies 10

Vikas Saxena
Cisco Employee
Cisco Employee

Assuming that the side from where you are initiating the pings has more TX and increasing so to interpret this:

echo request outbound side:

RX=0 TX=200 and increase as and when echo requests get encrypted.

Receiving side:

RX=0 TX=0

Looks like the tunnel is using ESP, which is blocked either on egress of the sender side or ingress on the receiver side.

How does your topology looks like?

Are you using any NAT device infront of these ASA?

Is there a packet filter (ACL) on the internet  connected router?

In case of NAT, turning on NAT-T should help, 'crypto isakmp nat-t' with default values should be enough.

Your assumtion is right. If I initiate ping from another side, then TX increase on another side. And I am using ESP.

Our topology:

(ASA) --ipsec-- (ASA)

I have NAT on both firewalls, but not infront the ASA.
I used vpn wizard on both ASAs to configure the vpn.

Should I enter  'crypto isakmp nat-t' on both sides?

do a capture on both end on the outside interface like this

access-li 150 permit ip host host

access-li 150 permit ip host host

cap capout access-li 150 interface outside

run this on both the FW.

please post 'sh run all sysopt', I will assume the Wizard will put sysopt connection permit-vpn by default.

If you have TX increasing on other side but RX=0 on other than I believe ESP is blocked inbound on the other side.

try turning on nat-t and flap the tunnel and see if the traffic passes. Otherwise you need to go all the way and capture the packets to see which side is at fault.

Thanks Vikas,

I'll do it now.

VPN is working now. The problem was related to the ISP.

They had some rules blocking vpn traffic.

Thanks.

Please rate and mark it as resolve so that others can know what we did here, if it is alright with you.

Vikas,

I remember that we had the same problems with two other VPN connections month ago. We solved it by restarting firewalls.

Do you have any idea why it could happen?

if this kind of problem was resolved by restarting the FW, then the only thing which can happen is that the IPSEC SA were out of sync,

One side will keep on sending the traffic and other side will keep on rejecting it because it has no SA.

The other thing I could imagine is one of those bugs where ASP table goes out of synch after multiple rekeys and there is no way but to reload to FW to overcome the situation.

The ASP problem is rare now in newer codes.

perfect information Vikas . thanks for sharing.

Thanks & Regards
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: