vpn traffic issue between branch to branch via ho

dabur10376004 · ‎04-10-2015

There are 3 location A,B & C. B is HO . site to site IPsec vpn is configured B to C & B to A. A is pinging to C via HO with site to site vpn. some time A to C is not pinging. so we use packet tracer command on HO ASA & giving below result. Phase: 6 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule once packet tracer command run , A to C connectivity started. This type of issue is occurring every 7-10 days. is there any issue or work around for permanent solution. Please help us. Thanks in advance

Adeolu Owokade · ‎04-12-2015

Hi,

Can you please share your sanitized configuration for the ASAs? Also share the output of "show crypto ipsec sa". It seems the SAs are being destroyed and the packet tracer command is creating them again.

dabur10376004 · ‎04-15-2015

hi,

tunnel are not destroyed. because during problem time , B to C & B to A was working, but A to C was not working. for A to C there was no any tunnels are created. we have done on B end ASA with following command with subnet are added in access list at B end ASA.

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

we will provide show crypto IPsec sa when problem will occurred.

thanks

dabur10376004 · ‎04-17-2015

Please find the show crypto IPsec sa for all three locations.

we are same issue facing.A to C connectivity was droped.

when I run packet tracer command on Location B (HO) Then A to C start.

dabur10376004 · ‎04-23-2015

hi,

any one can help us.