07-07-2009 12:34 AM
I am trying to setup l2l tunel between 2 asa devices tunel establishes but when i try to ping fom site l1 to site r1 i see that icmp psaes to tunnel but not recieved back. tunnel tx increased.
on r1 site i see that tunnel RX increased but not tx. acl sems to be the same. what could be the problem.
attache runin configs. r1 and l1.
07-07-2009 01:18 AM
check your no-nat config.
07-07-2009 01:26 AM
fixed nat on r1 to
nat (inside) 0 access-list nonat
nat (inside) 1 10.20.30.0 255.255.255.0
but nothing helps .
07-07-2009 01:34 AM
Make sure the no-nat on both sides is relevant eg:-
L1
no-nat permit ip <
R1
no-nat permit ip <
07-07-2009 01:47 AM
i have checked or even disabled nat on both sites.
When i do packet tracer on on r1 asa i got strange output.
i have rule on r1 to permit <
eevn after it permit any any on r1 inside interface bu tracer said that paket was droped by implicit rule deny any any.
07-07-2009 02:02 AM
Post the config's agian - removing sensitive information.
07-07-2009 02:15 AM
here it is
07-07-2009 02:17 AM
07-07-2009 03:04 AM
post the output of the "show crypto ipsec sa" from both sides
07-07-2009 03:11 AM
07-07-2009 03:50 AM
Ths issue is on the R1 side - check, check and re-check all config, no-nat, interesting traffic, ip routes etc.
07-07-2009 04:40 AM
I know that in r1 but where?
I recreated ipsec tunel from begining on r1 but now when i am trying to initiate tunell form r1 side i get
Routing failed to locate next hop for icmp from NP Identity Ifc:10.20.30.1/0 to inside:10.89.48.1/0
if i am trying to establish tunel from l1 side it comes up bu no reply from r1 to l1 side.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: