07-07-2009 12:34 AM
I am trying to setup l2l tunel between 2 asa devices tunel establishes but when i try to ping fom site l1 to site r1 i see that icmp psaes to tunnel but not recieved back. tunnel tx increased.
on r1 site i see that tunnel RX increased but not tx. acl sems to be the same. what could be the problem.
attache runin configs. r1 and l1.
07-07-2009 01:18 AM
check your no-nat config.
07-07-2009 01:26 AM
fixed nat on r1 to
nat (inside) 0 access-list nonat
nat (inside) 1 10.20.30.0 255.255.255.0
but nothing helps .
07-07-2009 01:34 AM
Make sure the no-nat on both sides is relevant eg:-
L1
no-nat permit ip <
R1
no-nat permit ip <
07-07-2009 01:47 AM
i have checked or even disabled nat on both sites.
When i do packet tracer on on r1 asa i got strange output.
i have rule on r1 to permit <
eevn after it permit any any on r1 inside interface bu tracer said that paket was droped by implicit rule deny any any.
07-07-2009 02:02 AM
Post the config's agian - removing sensitive information.
07-07-2009 02:15 AM
here it is
07-07-2009 02:17 AM
07-07-2009 03:04 AM
post the output of the "show crypto ipsec sa" from both sides
07-07-2009 03:11 AM
07-07-2009 03:50 AM
Ths issue is on the R1 side - check, check and re-check all config, no-nat, interesting traffic, ip routes etc.
07-07-2009 04:40 AM
I know that in r1 but where?
I recreated ipsec tunel from begining on r1 but now when i am trying to initiate tunell form r1 side i get
Routing failed to locate next hop for icmp from NP Identity Ifc:10.20.30.1/0 to inside:10.89.48.1/0
if i am trying to establish tunel from l1 side it comes up bu no reply from r1 to l1 side.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide