Showing results for 
Search instead for 
Did you mean: 

Strange VPN issue, initiates with ICMP not TCP

Level 1
Level 1

Hello All,

I am experiencing a strange issue on a VPN LAN-to-LAN tunnel between two Cisco ASA firewall.

Whenever a remote side tries to connect to a local server over the VPN tunnel with a TCP connection (an HTTP browser connection) all incoming SYN packets get dropped and I can see them in the asp drop capture I am running. The SYN packets are dropped with a message:

"Drop-reason: (acl-drop) Flow is denied by configured rule"

The VPN tunnel gets built and Phase 2 SA is established but there are no encrypted packets going back to the remote end.

Only when the remote side initiates an ICMP ping to the local server  then is the Phase2 SA re-established and the packets get encyrpted going back to the remote side. After that a Web Browser connection works fine and can establish an HTTP session with the Web Server.

Has anyone come across such an event?

Attaching the VPN configuration as well as the logs that show the relevant captures of ASP Drops and the Phase 2 SA on the VPN tunnel.

Remote hosts are on the subnet and the Web Server is running on port 81.

Thank you.


1 Reply 1

Level 1
Level 1

This issue was resolved. Re-creating the access lists that matched interesting traffic on both sides of the VPN tunnel fixed the issue. The access lists were matched exactly (except the direction of traffic obviously) to avoid any discrepancies.

Just in case anyone else comes across this problem.