Site-to-site works from one side but not the other

Unanswered Question
Jul 17th, 2007

I've set up a site-to-site VPN between a 501 and a 506, each with its own private subnet, and everything works fine... except that machines on the 506's subnet can't contact machines on the 501's subnet.

Since the VPN tunnel works, I suspect a problem in my routing, but I'm not sure where to start troubleshooting.

Any tips? Anything I should look for?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
stephen.simpson... Tue, 07/17/2007 - 16:08

Do a traceroute from a server/PC on the 506 side. You will probably asterisk out when you hit the Pix, but it should show you if you have a routing problem. Also check your crypto ACL on the 506 side. Do show xxxx access-list and see if there are hit counts incrementing. Or do a debug icmp trace on both Pixs and ping from a server on the 506 side to a server on the other side. See if there are echo-requests and echo-replies on both Pixs, assuming those are allowed over your tunnel, and that should help you figure out where it is stopping.

acomiskey Tue, 07/17/2007 - 16:39

If you're saying that machines behind the 501 can connect to machines behind the 506, then this would not be a routing problem as the return traffic is making it back to the 501. You'll have to be a little more specific about the problem or post configs.


This Discussion