Re: site to site vpn problem

baselzind · ‎01-13-2022

my firewall is 5512 version 8.2(2) I have a site to site vpn that is currently up but recently the remote vpn subnet is unreachable to me suddenly. The thing is in my case my firewall and server subnet is located in a remote site from my office building which is controlled by another company and currently, they are throwing the blame on my firewall , while the vpn tunnel is up and also no configuration changes has been done on my firewall. So i need to prove my side that the issue lies at their firewall. what im planning to do is several things:

1-do a continuous ping from my pc 192.168.1.1 with size 700 and see if anything is reaching my firewall outside interface using the command

cap capout int outside match ip host 1.1.1.1 host 2.2.2.2

2-do a continuous ping on my local server 172.16.16.10 from my pc 192.168.1.1 with size 700 and see if the ping is leaving my outside interface using the same above command

3-making sure my inside interface can ping my server

also is it possible to ping my inside interface 172.16.16.1 from my pc 192.168.1.1? or would i need an acl or to enable ping on my inside interface on my asa? or does the site to site vpn bypass any acl by default?

also can i ping from my inside interface to my office using size 700 in case I didn't have someone at the remote site?

Rob Ingram · ‎01-13-2022

@baselzind check "show crypto ipsec sa" and determine if the encap|decap counters increase when you send traffic over the tunnel.

Check you have the correct NAT exemption rules to ensure traffic is not unintentially translated.

Run packet-tracer from the CLI to simulate the traffic flow.