06-30-2008 07:36 AM
Hi All,
I have configured the Site to site vpn between 2 ASA 5520 firewalls say site A and Site B. The problem is that.
If site A initiate the traffic, it brings the VPn up and both sites can communicate with each other.If site A stop the traffic then after 5 minutes if site B sends the traffic it dropped unless the site A sends the traffic. even one packet from site A allow the site B to communicate. This is a very strange problem never encountered before. your help in this case would be helpfull for me.
Thanks
06-30-2008 10:37 AM
check to see if the VPN's are configured for "bi-directional" connectivity. Site B could be configured for "answer-only"
HTH.
06-30-2008 08:08 PM
Very new to Cisco but have experienced similar before.
Check your ACL lists. If site A has a subset of site B then it will establish the VPN tunnel only from site A.
e.g
Site A network is 192.168.0.0/24
Site B network is 10.10.10.0/24
(with either an additional network e.g DMZ or just an ACL artifact of 172.1.1.0/24)
Site A ACL (IPSec rule list)
192.168.0.0/24 --> 10.10.10.0/24
Site B ACL (IPSec rule list)
10.10.10.0/24 --> 192.168.0.0/24
172.1.1.0/24--> 192.168.0.0/24
If your ACL's are like this then site A will establish an IPSEC tunnel, but site B will not.
07-01-2008 03:39 AM
Hi
first of all i have only created a VPN only between 2 windows machine by using /32 subnet mask. Secondly both sites are in bidirectional mode.
show crypto ipsec sa gives the following information.
SITE B show command
ping from SITE B to SITE A
#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 29, #pkts comp failed: 0, #pkts decomp failed: 0
while on SITE A, i have not recived any packet
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
its mean vpn comes up, SITE B encrypts the traffic and forward to SITE A, but SITE A does not recieve it for any reason.
if i try to ping from SITE A to SITE B machine. then both are able to communicate. if i stop traffic for 5 minutes between these sites then after onwards the SITE B not able to communicate with SITE A unless Site A sends the traffic.
07-01-2008 05:05 AM
Tauseef,
Can you post a "sanitised" config for both ends - this will reduce the amount of emails in the thread!
07-10-2008 09:17 AM
Hi,
Do you have more than one VPN tunnel at Site B ? Can you please post configs as requested earlier?
Saju
07-10-2008 11:28 AM
Check nat0 ACL and Crypto ACL. Post the config if possible, if you need further help.
07-10-2008 11:36 AM
show the configurations on both sides.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: