04-15-2013 03:15 AM
Hi,
We have a standard L2L VPN setup. We had an issue with IP traffic only passing in 1 direction. The Crypto map ACL's were setup as below
SITE A
access-list XXX-L2L-CRYPTOMAP extended permit ip 192.168.118.0 255.255.255.0 172.16.246.0 255.255.255.0
SITE B
access-list xxx-L2L-VPN-CRYPTOMAP extended permit ip 172.16.246.0 255.255.255.0 192.168.118.0 255.255.255.0
access-list xxx-L2L-VPN-CRYPTOMAP extended permit icmp 172.16.246.0 255.255.255.0 192.168.118.0 255.255.255.0
The issue we had was that Site A could ping Site B and vice versa. Site A could Communicate on IP with Site B.
BUT Site B COULD NOT communicate with Site A on IP.
We removed the ICMP ACL on Site B and IP communication was ok bidirectionally.
Has anyone seen this issue or exaplin what may be wrong.
04-15-2013 03:24 AM
Hi,
You should have the L2L VPN ACLs as mirror images of eachtother always. In your above configuration they werent. I am not sure if this is something that should break the L2L VPN connection in the way you mention but certainly configuring the connection like this is not recomended.
Also notice that the "permit ip" statement already includes "icmp" so there is really no need to add an additional line to the ACL.
I would recomend defining the needed networks to the L2L VPN ACL with the "permit ip" statements and using other methods to control the traffic through those L2L VPN connections IF needed.
- Jouni
04-15-2013 03:34 AM
Many thanks, I suspect the non-matching ACL's would be an issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide