06-30-2008 07:36 AM
Hi All,
I have configured the Site to site vpn between 2 ASA 5520 firewalls say site A and Site B. The problem is that.
If site A initiate the traffic, it brings the VPn up and both sites can communicate with each other.If site A stop the traffic then after 5 minutes if site B sends the traffic it dropped unless the site A sends the traffic. even one packet from site A allow the site B to communicate. This is a very strange problem never encountered before. your help in this case would be helpfull for me.
Thanks
06-30-2008 10:37 AM
check to see if the VPN's are configured for "bi-directional" connectivity. Site B could be configured for "answer-only"
HTH.
06-30-2008 08:08 PM
Very new to Cisco but have experienced similar before.
Check your ACL lists. If site A has a subset of site B then it will establish the VPN tunnel only from site A.
e.g
Site A network is 192.168.0.0/24
Site B network is 10.10.10.0/24
(with either an additional network e.g DMZ or just an ACL artifact of 172.1.1.0/24)
Site A ACL (IPSec rule list)
192.168.0.0/24 --> 10.10.10.0/24
Site B ACL (IPSec rule list)
10.10.10.0/24 --> 192.168.0.0/24
172.1.1.0/24--> 192.168.0.0/24
If your ACL's are like this then site A will establish an IPSEC tunnel, but site B will not.
07-01-2008 03:39 AM
Hi
first of all i have only created a VPN only between 2 windows machine by using /32 subnet mask. Secondly both sites are in bidirectional mode.
show crypto ipsec sa gives the following information.
SITE B show command
ping from SITE B to SITE A
#pkts encaps: 29, #pkts encrypt: 29, #pkts digest: 29
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 29, #pkts comp failed: 0, #pkts decomp failed: 0
while on SITE A, i have not recived any packet
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
its mean vpn comes up, SITE B encrypts the traffic and forward to SITE A, but SITE A does not recieve it for any reason.
if i try to ping from SITE A to SITE B machine. then both are able to communicate. if i stop traffic for 5 minutes between these sites then after onwards the SITE B not able to communicate with SITE A unless Site A sends the traffic.
07-01-2008 05:05 AM
Tauseef,
Can you post a "sanitised" config for both ends - this will reduce the amount of emails in the thread!
07-10-2008 09:17 AM
Hi,
Do you have more than one VPN tunnel at Site B ? Can you please post configs as requested earlier?
Saju
07-10-2008 11:28 AM
Check nat0 ACL and Crypto ACL. Post the config if possible, if you need further help.
07-10-2008 11:36 AM
show the configurations on both sides.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide