ASA to VPN3015 Site-to-site Tunnel - One Way Traffic

Unanswered Question

Scenario:

-ASA5505 v7.2(3) at remote site (public IP)

-VPN3015 v4.7.2


The site-to-site tunnel comes up. When I do 'show crypto ipsec sa' I can see traffic being transmitted FROM the ASA and received by the VPN3015. The problem is I see no traffic being transmitted by the VPN3015 and no traffic being received by the ASA.


I have a static route in the VPN3015 pointing to the network behind it. Also, the devices behind the VPN3015 have routes back to the remote site via the VPN3015.



This is a standard site-to-site tunnel in tunnel mode. Nothing special. No NAT, no fancy filters, etc.


I can't seem to figure this out. It would be awesome if someone had an idea for me.


Thanks!



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
fortis123 Sat, 02/23/2008 - 06:41

Hi,


Looks like the below access-lists in the config are not applied to your ASA interfaces with access-group.


*****************************

access-list outside_in extended permit icmp any any

access-list outside_in extended permit ip any any

access-list inside_out extended permit icmp any any

access-list inside_out extended permit ip any any

**************************************


hth

MS

DrD3m3nt0 Sat, 02/23/2008 - 13:49


at least 2 probable cause:


1) Routing issue.

Verify in the network behind the VPN concentrator can reach it.


2) Translational error


a) Please post your show crypto ipsec sa peer output.

This will determine the traffic and other parameters.


b) Verify in our logs any occurrences of drops from VPN traffic.


We got it. It was a combination of two things:


1. The VPN concentrator was missing a route to the remote network subnet. I assumed it would build this route dynamically but apparently that's not the case.


2. I was also unaware of a firewall between the VPN concentrator and the Internet. Once we opened up the appropriate stuff it came right up.


Thanks!

Actions

This Discussion