Site to Site VPN issue

Unanswered Question
Aug 7th, 2008
User Badges:

This a little strange. We have a LAN 2 LAN VPN setup and I am getting a message from the ASA saying:

2|Aug 07 2008 08:39:59|106001: Inbound TCP connection denied from xxx.xx.xxx.20/39090 to xx.xx.x.162/23 flags SYN on interface inside

when we try to telnet to the device. They can telnet from their end to our system but I get that type of a message when ever I try anything other than a ping, traceroute gives me a similar error. I am getting hits on the ACL for the tunnel but the traffic is not passing.


And stranger yet is this is an outbound connection and I am getting an inbound connection error.


I also have other connections to this server that are working. I am a little perplexed.


Anyone have any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jjohnston1127 Thu, 08/07/2008 - 06:40
User Badges:
  • Silver, 250 points or more

Are you sure that your NONAT access list on the ASA at your facility is permitting traffic from your local network to the remote network?

svanguilder Thu, 08/07/2008 - 07:01
User Badges:

There is no NONAT acl instead we have a inside_nat0_outbound acl


And this one shows to be setup the same as the 12 LAN to LAN VPNs that are working.

jjohnston1127 Thu, 08/07/2008 - 07:24
User Badges:
  • Silver, 250 points or more

Can you post the complete configuration of the ASA that does not work as well as one that does work so the community can review it?


Also, have you tried running the command


same-security-traffic permit intra-interface

svanguilder Thu, 08/07/2008 - 07:58
User Badges:

The issue isn't that one of our devices doesn't work, rather one of 13 the LAN to LAN connections is having some issues. The other 12 LAN to LAN VPNs are working fine.


I attached the ASA config. The connection that is giving me issue is. outside_cryptomap_220



Attachment: 
svanguilder Fri, 08/08/2008 - 06:28
User Badges:

Here is a little more info. The device on the other end is a Watchguard FireBox. I can ping, and trace route(any thing ICMP) but anything TCP or UDP acts like there is no tunnel. I can kill the tunnel and a telnet will bring it up but then it acts like the same as if I try from an address that is not listed in the tunnel.


I remove the all the setting and purged all the ACLS and recreated it from my end to no avail. I am stumped.


Any of this make sense?

Actions

This Discussion