Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
578
Views
10
Helpful
3
Replies

L2L tunnel is up. Do I now need a return route?

Go to solution
jmaxwellUSAF
VIP
VIP

‎02-15-2023 08:15 PM - edited ‎02-15-2023 08:16 PM

Hello.

GIVEN:

172.16.3.0/24(CSRV1000)2.2.2.2===tunnel===1.1.1.1(ASA5525)172.16.8.1/24---172.16.9.1/24 (SERVER1)

My L2L tunnel is up. Encrypted packets are evident. Servers can NOT communicate.

Tunnel ACL endpoint is 172.16.9.0/24. NAT translates 172.16.8.1 to 1.1.1.1

My guess is I need to implement a route so packets can reach back to the remote server.

What is troubleshoot next step? How can I verify I need a return route?

Thank you.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-16-2023 12:20 AM - edited ‎02-16-2023 12:24 AM

@jmaxwellUSAF obviously the remote server would need to know how to reach the other server. If the servers default gateway is the device terminating the VPN then it should know how to reach the remote end of the tunnel.....unless there are other routing devices in your network and traffic is sent in another direction?

Provide a topology diagram and information on routing.

Provide the ouput of "show crypto ipsec sa" from both the CSR1000V and ASA - looking to confirm the encap|decaps counters are increasing on both sides.

Run packet-tracer from the ASA and provide the output.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎02-16-2023 12:20 AM - edited ‎02-16-2023 12:24 AM

@jmaxwellUSAF obviously the remote server would need to know how to reach the other server. If the servers default gateway is the device terminating the VPN then it should know how to reach the remote end of the tunnel.....unless there are other routing devices in your network and traffic is sent in another direction?

Provide a topology diagram and information on routing.

Provide the ouput of "show crypto ipsec sa" from both the CSR1000V and ASA - looking to confirm the encap|decaps counters are increasing on both sides.

Run packet-tracer from the ASA and provide the output.

Go to solution
jmaxwellUSAF
VIP
VIP

‎02-16-2023 09:10 AM

The problem was a bad return route.

0 Helpful
Customers Also Viewed These Support Documents