Re: VPN IPSEC only working one way.

rasoftware · ‎11-05-2008

I have a strange situation where I have a ASA and PIX 6.3 at my central site. I can bring the tunnel up from the main PIX site to the ASA but not the other way around.

It appears to fail at Phase 1 with MM_Wait_MSG6.

Any ideas, all IKE seems to match.

I also have a weird problem where the same ASA seems to drop the connection despite keep alives being set.

Session disconnected. Session Type: IPSecLAN2LAN, Duration: 4h:57m:58s, Bytes xmt: 150198468, Bytes rcv: 9714889, Reason: Lost Service

Not sure if the two problems are related. I have many many ASA working in this configuration without issue.

jmayes · ‎11-05-2008

If the rules are all OK, the first two other things I'd check are:

a. do I have NAT 0 set for both sides of the connection pairs and are the addresses correct

b. do I have interesting traffic rules set for both sides and are the rules correct

rasoftware · ‎11-06-2008

This is very strange the config looks fine - but I have attached for fresh pair of eyes. The network that won't come up is 192.100.106.0 from the remote end. Peer is 111.111.111.111 for illustrative purposes.

I also have the strange situation where sometime both tunnels are up but I cannot ping anything on the remote end via one of the tunnels.

I'm not sure if there is a fault with this or something.

rasoftware · ‎11-06-2008

Doing a packet trace it says this is being denied by the default implicit rule.

Is it possible that has become corrupt?

rasoftware · ‎11-07-2008

Managed to get this working - turns out the ISP router in front had NAT enabled despite having a set of publics behind it. Noticed in the far end router the wrong IP for the PSK.

Got them to disable NAT and it working a treat!