06-08-2019 03:59 AM - edited 06-08-2019 05:56 AM
Hi there,
We have Site-to-Site IPSec VPN between two sites using two ASAs firewalls, one site has two links connections to two different ISPs (primary and backup) and it used to work fine until this site (with 2 wan connections) has changed the IP address of their primary link to different broadband provider. So, I changed the outside interface to the new one, and updated the default-gateway to the new broadband provider and for the other branch I modified the connection profile to use the new IP address for the remote peer (VPN did fail over to backup while switching to new primary but again didn't work). Unfortunately didn't work, so I deleted the connection profiles and start from the scratch and the tunnel is up and I can see traffic encrypted and decrypted on both side the tunnel. However, I can't reach the LAN subnets from both side (e.g.: ping isn't working)
I checked the NAT and ACLs, but I couldn't find anything wrong.
What's the best method to troubleshoot this case? I tried to use packet tracer for icmp traffic but I find it very confusing which destination address to use (e.g: LAN1 : 192.168.1.10/24 & LAN2: 172.16.1.10/24)
(I used ASDM to create site-to-site IPSec VPN on both side, could it a bug in ASDM? Should I use CLI to create the tunnel instead?)
Do I need to reload the ASA for the changes to take effect?
ASA1 : ASA5515, 8192 MB RAM, Version 9.9(2)
ASA2: ASA5525, 8192 MB RAM, Version 9.6(3)1
Solved! Go to Solution.
06-09-2019 09:15 AM
06-09-2019 09:15 AM
06-09-2019 11:20 AM
Thanks!
You're absolutely right; it was NAT issue!
06-10-2019 11:51 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide