10-07-2009 07:22 AM
I am trying to establish site - site vpn tunnel b/w cisco ASA and Juniper FW. ASA is using in my end.
I can see tunnel as up when I am giving show crypto isakmp sa.
but the other end users are not able to access the inside allowed server through vpn tunnel
When I checked with
show crypto ipsec sa , I can't see packet encapsulation
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors
Could anybody help me on this ?
10-07-2009 08:35 AM
check the routing on your side.
10-07-2009 11:19 AM
There are many scenarios that could be causing it. Check your routing configuration to ensure the return traffic is hitting the ASA. Additionally, check and verify your crypto-access-list and NAT0-exempt access-list (if applicable).
Also, ensure that there are no rules on the inside interface that are blocking the return traffic.
I'd suggest performing a packet tracer as well.
packet-tracer input inside icmp x.x.x.x(inside host) 8 0 x.x.x.x (external host) detailed
If the packet-tracer shows that everything is being allowed and encrypted, you likely have a routing issue.
10-08-2009 10:38 AM
Thanks, it's resolved ,it was routing issue from our end.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide