05-25-2011 02:32 PM
Hi, I have created site-to-site ipsec vpn connection between two cisco asa firewalls.
Connection established successfully, but I can’t ping from one local network to another.
If I go to Sessions I can see on one side Bytes RX 0 , Bytes TX 200 (and increasing)
On another side Bytes RX 0 , Bytes TX 0. It seems that traffic goes and doesn’t come back.
What could be the problem? At what should I look?
Regards,
Solved! Go to Solution.
05-27-2011 02:44 AM
if this kind of problem was resolved by restarting the FW, then the only thing which can happen is that the IPSEC SA were out of sync,
One side will keep on sending the traffic and other side will keep on rejecting it because it has no SA.
The other thing I could imagine is one of those bugs where ASP table goes out of synch after multiple rekeys and there is no way but to reload to FW to overcome the situation.
The ASP problem is rare now in newer codes.
05-25-2011 11:43 PM
Assuming that the side from where you are initiating the pings has more TX and increasing so to interpret this:
echo request outbound side:
RX=0 TX=200 and increase as and when echo requests get encrypted.
Receiving side:
RX=0 TX=0
Looks like the tunnel is using ESP, which is blocked either on egress of the sender side or ingress on the receiver side.
How does your topology looks like?
Are you using any NAT device infront of these ASA?
Is there a packet filter (ACL) on the internet connected router?
In case of NAT, turning on NAT-T should help, 'crypto isakmp nat-t' with default values should be enough.
05-26-2011 12:10 AM
Your assumtion is right. If I initiate ping from another side, then TX increase on another side. And I am using ESP.
Our topology:
I have NAT on both firewalls, but not infront the ASA.
I used vpn wizard on both ASAs to configure the vpn.
Should I enter 'crypto isakmp nat-t' on both sides?
05-26-2011 12:39 AM
do a capture on both end on the outside interface like this
access-li 150 permit ip host
access-li 150 permit ip host
cap capout access-li 150 interface outside
run this on both the FW.
please post 'sh run all sysopt', I will assume the Wizard will put sysopt connection permit-vpn by default.
If you have TX increasing on other side but RX=0 on other than I believe ESP is blocked inbound on the other side.
05-26-2011 12:41 AM
try turning on nat-t and flap the tunnel and see if the traffic passes. Otherwise you need to go all the way and capture the packets to see which side is at fault.
05-26-2011 04:03 AM
Thanks Vikas,
I'll do it now.
05-26-2011 09:46 AM
VPN is working now. The problem was related to the ISP.
They had some rules blocking vpn traffic.
Thanks.
05-26-2011 11:34 PM
Please rate and mark it as resolve so that others can know what we did here, if it is alright with you.
05-27-2011 02:34 AM
Vikas,
I remember that we had the same problems with two other VPN connections month ago. We solved it by restarting firewalls.
Do you have any idea why it could happen?
05-27-2011 02:44 AM
if this kind of problem was resolved by restarting the FW, then the only thing which can happen is that the IPSEC SA were out of sync,
One side will keep on sending the traffic and other side will keep on rejecting it because it has no SA.
The other thing I could imagine is one of those bugs where ASP table goes out of synch after multiple rekeys and there is no way but to reload to FW to overcome the situation.
The ASP problem is rare now in newer codes.
05-28-2011 11:04 AM
perfect information Vikas . thanks for sharing.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide