VPN IPSEC only working one way.

Unanswered Question
Nov 5th, 2008

I have a strange situation where I have a ASA and PIX 6.3 at my central site. I can bring the tunnel up from the main PIX site to the ASA but not the other way around.

It appears to fail at Phase 1 with MM_Wait_MSG6.

Any ideas, all IKE seems to match.

I also have a weird problem where the same ASA seems to drop the connection despite keep alives being set.

Session disconnected. Session Type: IPSecLAN2LAN, Duration: 4h:57m:58s, Bytes xmt: 150198468, Bytes rcv: 9714889, Reason: Lost Service

Not sure if the two problems are related. I have many many ASA working in this configuration without issue.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rasoftware Thu, 11/06/2008 - 03:40

This is very strange the config looks fine - but I have attached for fresh pair of eyes. The network that won't come up is from the remote end. Peer is for illustrative purposes.

I also have the strange situation where sometime both tunnels are up but I cannot ping anything on the remote end via one of the tunnels.

I'm not sure if there is a fault with this or something.

rasoftware Thu, 11/06/2008 - 06:30

Doing a packet trace it says this is being denied by the default implicit rule.

Is it possible that has become corrupt?

rasoftware Fri, 11/07/2008 - 06:08

Managed to get this working - turns out the ISP router in front had NAT enabled despite having a set of publics behind it. Noticed in the far end router the wrong IP for the PSK.

Got them to disable NAT and it working a treat!


This Discussion