Site -Site vpn issue between ASA and Juniper fw ..

Unanswered Question
Oct 7th, 2009
User Badges:

I am trying to establish site - site vpn tunnel b/w cisco ASA and Juniper FW. ASA is using in my end.


I can see tunnel as up when I am giving show crypto isakmp sa.


but the other end users are not able to access the inside allowed server through vpn tunnel


When I checked with

show crypto ipsec sa , I can't see packet encapsulation


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors



Could anybody help me on this ?




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Wed, 10/07/2009 - 08:35
User Badges:
  • Gold, 750 points or more

check the routing on your side.

Patrick0711 Wed, 10/07/2009 - 11:19
User Badges:
  • Bronze, 100 points or more

There are many scenarios that could be causing it. Check your routing configuration to ensure the return traffic is hitting the ASA. Additionally, check and verify your crypto-access-list and NAT0-exempt access-list (if applicable).


Also, ensure that there are no rules on the inside interface that are blocking the return traffic.


I'd suggest performing a packet tracer as well.


packet-tracer input inside icmp x.x.x.x(inside host) 8 0 x.x.x.x (external host) detailed


If the packet-tracer shows that everything is being allowed and encrypted, you likely have a routing issue.

Actions

This Discussion