Site -Site vpn issue between ASA and Juniper fw ..

Mahinmitrxblr · ‎10-07-2009

I am trying to establish site - site vpn tunnel b/w cisco ASA and Juniper FW. ASA is using in my end.

I can see tunnel as up when I am giving show crypto isakmp sa.

but the other end users are not able to access the inside allowed server through vpn tunnel

When I checked with

show crypto ipsec sa , I can't see packet encapsulation

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors

Could anybody help me on this ?

Yudong Wu · ‎10-07-2009

check the routing on your side.

Patrick0711 · ‎10-07-2009

There are many scenarios that could be causing it. Check your routing configuration to ensure the return traffic is hitting the ASA. Additionally, check and verify your crypto-access-list and NAT0-exempt access-list (if applicable).

Also, ensure that there are no rules on the inside interface that are blocking the return traffic.

I'd suggest performing a packet tracer as well.

packet-tracer input inside icmp x.x.x.x(inside host) 8 0 x.x.x.x (external host) detailed

If the packet-tracer shows that everything is being allowed and encrypted, you likely have a routing issue.

Mahinmitrxblr · ‎10-08-2009

Thanks, it's resolved ,it was routing issue from our end.