Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1084
Views
0
Helpful
8
Replies

IPSec ASA5510 To RVS4000

Robert Ho
Level 1
Level 1

‎01-06-2011 06:46 PM - edited ‎02-21-2020 05:04 PM

Hi,

We built a VPN tunnel between the sites but traffic only seem to be able to initiate in one direction.

SiteA has the RVS with 192.168.15.0/24

SiteB has the ASA with 192.168.11.0/24

We are able to ping/rdp/etc from SiteA to SiteB but not able from the other direction.

Here are some logs:

%ASA-3-106014: Deny inbound icmp src Inside:192.168.11.1 dst Inside:192.168.15.10 (type 8, code 0)
%ASA-3-106014: Deny inbound icmp src Inside:192.168.11.1 dst Inside:192.168.15.10 (type 8, code 0)

Any input is appreciated.

Thanks

-robert

Labels:
0 Helpful
8 Replies 8

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-07-2011 05:13 AM

Hi,

You say that traffic from the ASA side to the other side won't work.

Do you see packets encrypted/decrypted incrementing when sending traffic in this direction? (with the command ''sh cry ips sa'' on the ASA).

This will show if packet is indeed being sent thru the tunnel.

Federico.

0 Helpful

Robert Ho
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-07-2011 12:15 PM

Yes, we do see packets across the tunnel but that is because we are able to initiate traffic from siteA to siteB.

We can ping/rdp/etc from any node in siteA to siteB.

It's only when we try to initiate from siteB to siteA that it fails.

Your help is appreciated.

Thanks

-robert

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Robert Ho

‎01-07-2011 12:24 PM

Yes but is there too much traffic flowing to do a test?

I was suggesting to check if the packets encrypted/decrypted increment on the ASA side when initiating the tunnel from the ASA side.

Federico.

0 Helpful

Robert Ho
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-07-2011 01:08 PM

we intiate a telnet connection from siteB to siteA and do not see the counter increment in the output of sh crypto ips sa

it gets denied by the asa?

ASA-2-106001: Inbound TCP connection denied from 192.168.11.1/53954 to 192.168.16.254/23 flags SYN  on interface Inside

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Robert Ho

‎01-07-2011 01:19 PM

Do you have an ACL applied to the inside interface in the inbound direction that is not allowing this traffic?

Federico.

0 Helpful

Robert Ho
Level 1
Level 1
In response to Federico Coto Fajardo

‎01-10-2011 12:53 PM

hi, there are no acl's applied on the inside interface.

the only acl's configured are the outside and the one that is applied to no-nat.

do we need one to be applied on the inside interface? we never had to before.

thanks

-robert

0 Helpful

Gustavo Medina
Cisco Employee
Cisco Employee

‎01-07-2011 01:33 PM

Hi Robert,

Please check the routing and static translations on the ASA, as per:

%ASA-3-106014: Deny inbound icmp src Inside:192.168.11.1 dst Inside:192.168.15.10 (type 8, code 0)

That traffic is not being sent through the outside interface which is the interface I assume has the crypto map applied on it.

You can run a "debug icmp trace" when running a ping test from the 192.168.11.x to the 192.168.15.x in order to see where that ping is going.

The output of a packet-tracer would be helpful also, it would be great if you could provide it:

packet-tracer input inside icmp 192.168.11.5 8 0 192.168.15.10 detailed

Regards,

0 Helpful

Robert Ho
Level 1
Level 1
In response to Gustavo Medina

‎01-10-2011 12:54 PM

hi jose, there is no specific route configured.

we thought the asa would punt it directly to the outside/vpn since the tunnel is up?

thanks

-robert

0 Helpful
Customers Also Viewed These Support Documents