Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
560
Views
5
Helpful
3
Replies

ASA 5512 Site-to-site VPN issue - One way traffic

petenixon
Level 3
Level 3

‎01-05-2015 03:31 AM

Hi all,

I have a strange issue with a site to site VPN configured on an ASA 5512 (9.1). The tunnel is up and working, but intermittently Rx traffic through the tunnel is not incrementing. This was resolved earlier by removing the cryptomap on the outside interface and re-applying it. The VPN remote peer is a juniper SRX firewall (whose configuration has not been modified).

A reboot did not work previously (hence removing the cryptomap) and I am at a loss as to what could be the cause of the problem?

This previously worked without issue and has only arisen as a problem this morning.

 

Thanks.

Labels:
0 Helpful
3 Replies 3

Marius Gunnerud
VIP
VIP

‎01-05-2015 06:09 AM

For how long will the VPN work after removing / adding the crypto map?  Are you 100% sure there have been no changes to the Juniper SRX?  First thought that comes to mind is that there could be some asynchronous routing happening due to loadbalancing. 

Would you be able to post the full running configuration of the ASA as well as the outputs of show crypto isakmp and show crypto ipsec sa

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

petenixon
Level 3
Level 3
In response to Marius Gunnerud

‎01-05-2015 06:36 AM

Hi Marius,

Absolutely sure there have been no changes, my colleagues and I have only just returned from Xmas break today.

I have removed/re-added the crypto map twice and both times the 'uptime' of bi-directional traffic flow was different. My feeling is that the fault is with the Juniper SRX, there are no load-balancers behind the SRX that would be attributable to this (we don't load-balance traffic from this remote site).

 

I've attached the outputs, as requested, but have had to remove our public addresses from the config.

Thanks.

Preview file
11 KB
Preview file
3 KB
Preview file
1 KB
0 Helpful

Marius Gunnerud
VIP
VIP
In response to petenixon

‎01-06-2015 12:09 AM

I am not very familiar with Juniper but the config on the ASA looks fine.  Have a look at this link and check the config on the Juniper against it.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB28120

--

Please remember to select a correct answer and rate helpful posts

 

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents