cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
691
Views
0
Helpful
6
Replies

Troubleshoot site-to-site VPN traffic - ASA 5520

aok
Beginner
Beginner

Hello

 

We are troubleshooting a connectivity issue over site-to-site VPN between two ASAs. The source and destination IPs are permitted in the S2S VPN ACL Manager as well as the return traffic, however we still cannot ping from one end to the other. Are there any tools or additional logging we can turn on to see whether the packets are reaching the remote end ASA? Let me know what additional information you need.

 

Thanks

AO

1 Accepted Solution

Accepted Solutions

Aphea
Beginner
Beginner

Dear AO,
For clarification, we would to see your output with Phase1 & Phase2 status.

show crypto isakmp sa detail

show crypto ipsec sa

You can also check whether your interesting traffic was in the NO-NAT rule.

 

Cheer,

Aphea

View solution in original post

6 Replies 6

Aphea
Beginner
Beginner

Dear AO,
For clarification, we would to see your output with Phase1 & Phase2 status.

show crypto isakmp sa detail

show crypto ipsec sa

You can also check whether your interesting traffic was in the NO-NAT rule.

 

Cheer,

Aphea

Hi Aphea

 

The tunnel is definitely up and working properly and we added the subnet to the NO-NAT rule. We have an object group with all the existing traffic and we just added it to that.

Dennis Mink
Advisor
Advisor

is the tunnel up?

 

do you seen encrpted/decrypted traffic through the tunnel. Is it just icmp that is failing or do you not get any traffic across?

Please remember to rate useful posts, by clicking on the stars below.

Yes the tunnel is up and there is other traffic going across, but none of the S2S traffic shows in the logs, perhaps because it's encrypted? Its just access from a particular source subnet to a destination host that we're trying to get working, no protocol works between them.

Hi, Can you please run packet-tracer and upload the output for us to view.

Hi all

 

Looks like it was because of NAT after all, I thought the source subnet was already included but turns out it wasn't. All working now :)

 

Thanks for all your help

AO

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers