Re: L2L Site VPN - ACL stopping traffic in one direction

ikoritana_sbet · ‎04-15-2013

Hi,

We have a standard L2L VPN setup. We had an issue with IP traffic only passing in 1 direction. The Crypto map ACL's were setup as below

SITE A

access-list XXX-L2L-CRYPTOMAP extended permit ip 192.168.118.0 255.255.255.0 172.16.246.0 255.255.255.0

SITE B

access-list xxx-L2L-VPN-CRYPTOMAP extended permit ip 172.16.246.0 255.255.255.0 192.168.118.0 255.255.255.0

access-list xxx-L2L-VPN-CRYPTOMAP extended permit icmp 172.16.246.0 255.255.255.0 192.168.118.0 255.255.255.0

The issue we had was that Site A could ping Site B and vice versa. Site A could Communicate on IP with Site B.

BUT Site B COULD NOT communicate with Site A on IP.

We removed the ICMP ACL on Site B and IP communication was ok bidirectionally.

Has anyone seen this issue or exaplin what may be wrong.

Jouni Forss · ‎04-15-2013

Hi,

You should have the L2L VPN ACLs as mirror images of eachtother always. In your above configuration they werent. I am not sure if this is something that should break the L2L VPN connection in the way you mention but certainly configuring the connection like this is not recomended.

Also notice that the "permit ip" statement already includes "icmp" so there is really no need to add an additional line to the ACL.

I would recomend defining the needed networks to the L2L VPN ACL with the "permit ip" statements and using other methods to control the traffic through those L2L VPN connections IF needed.

- Jouni

ikoritana_sbet · ‎04-15-2013

Many thanks, I suspect the non-matching ACL's would be an issue.