Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
2
Replies

ASA in between site-to-site tunnel

Go to solution
vishnureddy1979
Level 1
Level 1

‎03-03-2016 07:02 AM

Hello,

I have site to site tunnel between 2 ASAs. One ASA is behind the university and other is at our datacenter. Unversity provides us the Internet services and they have the ASA which controls the incoming traffic. We used to have tunnel issues where the stale SAs were inactive and deleted at the datacenter due to inactivity timeout or some other reasons not known. Later found out that ASA9.1.5 behind the university had the bug for not deleting the stale entries. After downgrading the code to 8.4.6 version we are not seeing any issues. And its working as normal. Unversity guy said he added some ACLS on the outside interface to allow our Datacenter IP to pass the VPN traffic.

https://quickview.cloudapps.cisco.com/quickview/bug/CSCup37416

My Question even before adding those acls the tunnels were working but were not deleting the stale entries. I think after upgrade it became stable. Unversity guys says after adding the ACL it may have stablized the issue.

Could anyone can highlight here what was going on?

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎03-03-2016 08:24 AM

Hi Vishnu,

Adding ACL's on the outside interface does not have any relation with the ASP table entries for the VPN traffic.

The ASP duplicate entries are caused for crypto ACL's and the interesting traffic.

The ASP table will show duplicate ASP entries and traffic is hitting an ASP entry
that is stale and the traffic for particular SA is blackholed which leads to disruption of VPN traffic.

It has no link with the interface ACL's.

Hope it answers your query.

Regards,

Aditya

Please rate helpful posts.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎03-03-2016 08:24 AM

Hi Vishnu,

Adding ACL's on the outside interface does not have any relation with the ASP table entries for the VPN traffic.

The ASP duplicate entries are caused for crypto ACL's and the interesting traffic.

The ASP table will show duplicate ASP entries and traffic is hitting an ASP entry
that is stale and the traffic for particular SA is blackholed which leads to disruption of VPN traffic.

It has no link with the interface ACL's.

Hope it answers your query.

Regards,

Aditya

Please rate helpful posts.

0 Helpful

Go to solution
vishnureddy1979
Level 1
Level 1
In response to Aditya Ganjoo

‎03-03-2016 08:32 AM

Thanks for your prompt reply. I was on the same page too but just wanted to confirm with others in this forum. 

0 Helpful
Customers Also Viewed These Support Documents