08-09-2018 04:38 PM
Hello
We are troubleshooting a connectivity issue over site-to-site VPN between two ASAs. The source and destination IPs are permitted in the S2S VPN ACL Manager as well as the return traffic, however we still cannot ping from one end to the other. Are there any tools or additional logging we can turn on to see whether the packets are reaching the remote end ASA? Let me know what additional information you need.
Thanks
AO
Solved! Go to Solution.
08-09-2018 08:56 PM
Dear AO,
For clarification, we would to see your output with Phase1 & Phase2 status.
show crypto isakmp sa detail
show crypto ipsec sa
You can also check whether your interesting traffic was in the NO-NAT rule.
Cheer,
Aphea
08-09-2018 08:56 PM
Dear AO,
For clarification, we would to see your output with Phase1 & Phase2 status.
show crypto isakmp sa detail
show crypto ipsec sa
You can also check whether your interesting traffic was in the NO-NAT rule.
Cheer,
Aphea
08-10-2018 09:03 AM
Hi Aphea
The tunnel is definitely up and working properly and we added the subnet to the NO-NAT rule. We have an object group with all the existing traffic and we just added it to that.
08-09-2018 11:32 PM
is the tunnel up?
do you seen encrpted/decrypted traffic through the tunnel. Is it just icmp that is failing or do you not get any traffic across?
08-10-2018 08:38 AM
Yes the tunnel is up and there is other traffic going across, but none of the S2S traffic shows in the logs, perhaps because it's encrypted? Its just access from a particular source subnet to a destination host that we're trying to get working, no protocol works between them.
08-10-2018 09:44 AM
08-10-2018 10:52 AM
Hi all
Looks like it was because of NAT after all, I thought the source subnet was already included but turns out it wasn't. All working now :)
Thanks for all your help
AO
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide