cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

245
Views
5
Helpful
3
Replies
Beginner

Unable to reach local networks between site-to-site VPN tunnel

Hi there,

 

We have Site-to-Site IPSec VPN between two sites using two ASAs firewalls, one site has two links connections to two different ISPs (primary and backup) and it used to work fine until this site (with 2 wan connections) has changed the IP address of their primary link to different broadband provider. So, I changed the outside interface to the new one, and updated the default-gateway to the new broadband provider and for the other branch I modified the connection profile to use the new IP address for the remote peer (VPN did fail over to backup while switching to new primary but again didn't work). Unfortunately didn't work, so I deleted the connection profiles and start from the scratch and the tunnel is up and I can see traffic encrypted and decrypted on both side the tunnel. However, I can't reach the LAN subnets from both side (e.g.: ping isn't working)

I checked the NAT and ACLs, but I couldn't find anything wrong.

What's the best method to troubleshoot this case? I tried to use packet tracer for icmp traffic but I find it very confusing which destination address to use (e.g: LAN1 : 192.168.1.10/24 & LAN2: 172.16.1.10/24)

(I used ASDM to create site-to-site IPSec VPN on both side, could it a bug in ASDM? Should I use CLI to create the tunnel instead?)

Do I need to reload the ASA for the changes to take effect?

 

ASA1 :  ASA5515, 8192 MB RAM, Version 9.9(2)

ASA2:   ASA5525, 8192 MB RAM, Version 9.6(3)1

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Re: Unable to reach local networks between site-to-site VPN tunnel

Hi

Can you share your configs please?
I did a quick post with commands showing how to troubleshooting L2L vpn.
Can you take a look and try on your side?

https://community.cisco.com/t5/security-documents/asa-how-to-troubleshoot-vpn-l2l-ensure-traffic-is-passing/ta-p/3166082

Usually when ipsec is up but no encaps and/or decaps are seen it's a nat or acl issue.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
3 REPLIES 3
Highlighted
VIP Advisor

Re: Unable to reach local networks between site-to-site VPN tunnel

Hi

Can you share your configs please?
I did a quick post with commands showing how to troubleshooting L2L vpn.
Can you take a look and try on your side?

https://community.cisco.com/t5/security-documents/asa-how-to-troubleshoot-vpn-l2l-ensure-traffic-is-passing/ta-p/3166082

Usually when ipsec is up but no encaps and/or decaps are seen it's a nat or acl issue.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

Re: Unable to reach local networks between site-to-site VPN tunnel

Thanks!

You're absolutely right; it was NAT issue!

VIP Advisor

Re: Unable to reach local networks between site-to-site VPN tunnel

You're welcome.
Glad that worked!

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question