Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
0
Helpful
5
Replies

Site to Site VPN issue

svanguilder
Level 1
Level 1

‎08-07-2008 05:56 AM - edited ‎03-11-2019 06:27 AM

This a little strange. We have a LAN 2 LAN VPN setup and I am getting a message from the ASA saying:

2|Aug 07 2008 08:39:59|106001: Inbound TCP connection denied from xxx.xx.xxx.20/39090 to xx.xx.x.162/23 flags SYN on interface inside

when we try to telnet to the device. They can telnet from their end to our system but I get that type of a message when ever I try anything other than a ping, traceroute gives me a similar error. I am getting hits on the ACL for the tunnel but the traffic is not passing.

And stranger yet is this is an outbound connection and I am getting an inbound connection error.

I also have other connections to this server that are working. I am a little perplexed.

Anyone have any ideas?

Labels:
0 Helpful
5 Replies 5

jj27
Spotlight
Spotlight

‎08-07-2008 06:40 AM

Are you sure that your NONAT access list on the ASA at your facility is permitting traffic from your local network to the remote network?

0 Helpful

svanguilder
Level 1
Level 1
In response to jj27

‎08-07-2008 07:01 AM

There is no NONAT acl instead we have a inside_nat0_outbound acl

And this one shows to be setup the same as the 12 LAN to LAN VPNs that are working.

0 Helpful

jj27
Spotlight
Spotlight
In response to svanguilder

‎08-07-2008 07:24 AM

Can you post the complete configuration of the ASA that does not work as well as one that does work so the community can review it?

Also, have you tried running the command

same-security-traffic permit intra-interface

0 Helpful

svanguilder
Level 1
Level 1
In response to jj27

‎08-07-2008 07:58 AM

The issue isn't that one of our devices doesn't work, rather one of 13 the LAN to LAN connections is having some issues. The other 12 LAN to LAN VPNs are working fine.

I attached the ASA config. The connection that is giving me issue is. outside_cryptomap_220

Preview file
127 KB
0 Helpful

svanguilder
Level 1
Level 1
In response to svanguilder

‎08-08-2008 06:28 AM

Here is a little more info. The device on the other end is a Watchguard FireBox. I can ping, and trace route(any thing ICMP) but anything TCP or UDP acts like there is no tunnel. I can kill the tunnel and a telnet will bring it up but then it acts like the same as if I try from an address that is not listed in the tunnel.

I remove the all the setting and purged all the ACLS and recreated it from my end to no avail. I am stumped.

Any of this make sense?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card