We are in the initial phase of deploying Cisco ASA 5506's to our remote offices for redundant connectivity to our centralized data-center. I am experiencing an issue I have never seen before and I have been working with vpn's for a long time.
The 5525 is running 8.6 and the 5506 is running 9.3.2. In a test environment when I initiate traffic from a the 5506 side, the vpn gets established and there are valid SA's created. However, traffic is never returned and I and Cisco are having a hard time finding the issue leading me to think there is a bug.
Here is what I see:
From the 5506 side, I see the Encaps increase but have 0 decaps. On the 5525 side, I see the encaps and decaps increase. Usually, one side's encaps always equates to the other sides decaps. On the 5525 end, I do see this error in the logs:
ASA-7-710006: ESP request discarded from 5506_public_ip to the 5525_public_ip. Now this would explain why the 5506 has 0 decaps, but after working with Cisco for the past couple of days, we havent been able to identify the cause. He did verify that the configuration is correct, and the a vpn from a location using a 5505 does not have the same issue.
Also, when the tunnel is up and I initiate traffic from the 5525 side, I always see:
ESP request discarded message.
I think the 5525 needs a reboot, as I removed the global policy-map, disabled and re-enabled all crypto settings, and also set up a 2nd vpn from the 5506 to another 5525 in our colo. That had no issue and the 5525 have the same code and config.