Try to modify that ACE in your crypto ACL, and put the exact /32 address of your backup-server instead of the whole subnet.

I.e.

permit ip host WAN_IP host BACKUP

I'll try that and let you know.

Thanks.

Hi Andrew,

still same issue. cannot reach LAN_IP of Router B.

with the more specific ACL entries is better because the hosts can now reach each other over VPN. but it seems it cannot send the icmp replies over the tunnel..even if the WAN_IP is forced over the VPN.

on Router B still no SAs only #send errors:

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 44, #recv errors 0

     local crypto endpt.: WAN_B, remote crypto endpt.: WAN_A

     path mtu 1500, ip mtu 1500, ip mtu idb Vlan100

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Thanks.

Hi Andrew,

I think the problem is on the SA.

The Traffic comes from one SA (Backup_Server_IP .2.50 -> RouterB_IP 1.1) and now it must return over another SA (RouterB_WAN_IP -> Backup_Server_IP) and here it breaks.

What do you think?

Maybe yes, but i don't think that it should cause problems like this.

Listen, you're gonna do backup through that interface. For that, i assume, you'll use ssh or tenlet. Right?

Did you try to ssh/telnet to the routers inside interface (without adding that ACE), or if u did, did you try to add ip ssh/telnet source-interface command?

yes I've tried all. still same issue.

I tried also with tftp source-int, did a copy run tftp, it creats the file but doesn't write anything in it. it's empty.

I haven't found any bugs for this IOS (15.0.1M5)..

Thanks.