Site-to-site works from one side but not the other

thornrag · ‎07-17-2007

I've set up a site-to-site VPN between a 501 and a 506, each with its own private subnet, and everything works fine... except that machines on the 506's subnet can't contact machines on the 501's subnet.

Since the VPN tunnel works, I suspect a problem in my routing, but I'm not sure where to start troubleshooting.

Any tips? Anything I should look for?

palomoj · ‎07-17-2007

When you say "everything works fine" do you mean you are able to get two way traffic? Pings are working?

stephen.simpson · ‎07-17-2007

Do a traceroute from a server/PC on the 506 side. You will probably asterisk out when you hit the Pix, but it should show you if you have a routing problem. Also check your crypto ACL on the 506 side. Do show xxxx access-list and see if there are hit counts incrementing. Or do a debug icmp trace on both Pixs and ping from a server on the 506 side to a server on the other side. See if there are echo-requests and echo-replies on both Pixs, assuming those are allowed over your tunnel, and that should help you figure out where it is stopping.

acomiskey · ‎07-17-2007

If you're saying that machines behind the 501 can connect to machines behind the 506, then this would not be a routing problem as the return traffic is making it back to the 501. You'll have to be a little more specific about the problem or post configs.