Site to Site VPN, One way traffic brings the VPn UP but not the other way.

t4tauseef33 · ‎06-30-2008

Hi All,

I have configured the Site to site vpn between 2 ASA 5520 firewalls say site A and Site B. The problem is that.

If site A initiate the traffic, it brings the VPn up and both sites can communicate with each other.If site A stop the traffic then after 5 minutes if site B sends the traffic it dropped unless the site A sends the traffic. even one packet from site A allow the site B to communicate. This is a very strange problem never encountered before. your help in this case would be helpfull for me.

Thanks

andrew.prince · ‎06-30-2008

check to see if the VPN's are configured for "bi-directional" connectivity. Site B could be configured for "answer-only"

HTH.

s.haszard · ‎06-30-2008

Very new to Cisco but have experienced similar before.

Check your ACL lists. If site A has a subset of site B then it will establish the VPN tunnel only from site A.

e.g

Site A network is 192.168.0.0/24

Site B network is 10.10.10.0/24

(with either an additional network e.g DMZ or just an ACL artifact of 172.1.1.0/24)

Site A ACL (IPSec rule list)

192.168.0.0/24 --> 10.10.10.0/24

Site B ACL (IPSec rule list)

10.10.10.0/24 --> 192.168.0.0/24

172.1.1.0/24--> 192.168.0.0/24

If your ACL's are like this then site A will establish an IPSEC tunnel, but site B will not.

t4tauseef33 · ‎07-01-2008

Hi

first of all i have only created a VPN only between 2 windows machine by using /32 subnet mask. Secondly both sites are in bidirectional mode.

show crypto ipsec sa gives the following information.

SITE B show command

ping from SITE B to SITE A

#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 29, #pkts comp failed: 0, #pkts decomp failed: 0

while on SITE A, i have not recived any packet

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

its mean vpn comes up, SITE B encrypts the traffic and forward to SITE A, but SITE A does not recieve it for any reason.

if i try to ping from SITE A to SITE B machine. then both are able to communicate. if i stop traffic for 5 minutes between these sites then after onwards the SITE B not able to communicate with SITE A unless Site A sends the traffic.

andrew.prince · ‎07-01-2008

Tauseef,

Can you post a "sanitised" config for both ends - this will reduce the amount of emails in the thread!

singhsaju · ‎07-10-2008

Hi,

Do you have more than one VPN tunnel at Site B ? Can you please post configs as requested earlier?

Saju

jpoplawski · ‎07-10-2008

Check nat0 ACL and Crypto ACL. Post the config if possible, if you need further help.

a.alekseev · ‎07-10-2008

show the configurations on both sides.