10-07-2009 07:22 AM
I am trying to establish site - site vpn tunnel b/w cisco ASA and Juniper FW. ASA is using in my end.
I can see tunnel as up when I am giving show crypto isakmp sa.
but the other end users are not able to access the inside allowed server through vpn tunnel
When I checked with
show crypto ipsec sa , I can't see packet encapsulation
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors
Could anybody help me on this ?
10-07-2009 08:35 AM
check the routing on your side.
10-07-2009 11:19 AM
There are many scenarios that could be causing it. Check your routing configuration to ensure the return traffic is hitting the ASA. Additionally, check and verify your crypto-access-list and NAT0-exempt access-list (if applicable).
Also, ensure that there are no rules on the inside interface that are blocking the return traffic.
I'd suggest performing a packet tracer as well.
packet-tracer input inside icmp x.x.x.x(inside host) 8 0 x.x.x.x (external host) detailed
If the packet-tracer shows that everything is being allowed and encrypted, you likely have a routing issue.
10-08-2009 10:38 AM
Thanks, it's resolved ,it was routing issue from our end.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: