03-20-2011 08:23 AM - edited 02-21-2020 05:14 PM
Hy
I'm getting crazy in the last two weeks, reading thousands of Knowledge base, forum, FAQ, Troubleshooting technotes, etc etc. Need expert help.
I have a Site to Site IPSEC VPN Tunnel created with ASDM wizard.
Cisco ASA-5505
Peer A: x.x.x.x
Lan A: 192.168.0.0 255.255.255.0
Fortinet FortiGate-50b
Peer B: y.y.y.y
Lan B: 192.168.23.0 255.255.255.0
I start traffic from LAN B with a ping (or telnet it doesn't matter) that receive no reply but tunnel goes up fine.
"show isakmp sa" seems ok (says "State : MM_ACTIVE")
"show ipsec sa" seems ok but all #pkts are zero
try ftp, telnet from LAN B to LAN A systems but no one work. "show ipsec sa" all #pkts are zero
As soon as I generate traffic from LAN A to LAN B these works (with tunnel already up) also traffic from LAN B to LAN A works.
Obviously if I end VPN and start tunnel making traffic from LAN A all work fine bidirectionally, LAN A reach LAN B and LAN B reach LAN A.
No msg logged in either two appliance.
Seems a very strange problem because seems not related to Phase1 or Phase2 already established.
Traffic (routing ?) start works only after at least one packet goes from LAN A to LAN B.
No msg logged in either two appliance.
Problems begun in ASA version 8.0(4) ASDM version 6.1(3) and remain/continue after upgrade to ASA Version 8.4(1) ASDM version 6.4(1).
Please excuse my terrible english.
03-20-2011 03:09 PM
Problem sounds to be IPSec (ESP packet) is not reaching the ASA when the traffic is initiated from LAN B, hence you are seeing 0 packets on decrypts and encrypts.
Can you please check if you have any firewall, routers, etc that might be blocking the ESP traffic in the direction from Peer B towards Peer A?
NB: btw, your English is absolutely fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide