Traffic flowing in only one direction in VPN3030/ASA VPN

diogo · ‎12-03-2009

I have a newly stablished VPN between a ASA 5510 and the VPN3030 concentrator. The session is successfully established, but traffic flows only from the ASA to the 3030 and never on the opposite direction. From the VPN3030 point of view, the Bytes Received counter will increase over time while the Bytes Transmitted count will remain in 0.

Any ideas?

thanks

Diogo

Ricardo Prado Rueda · ‎12-04-2009

Hi,

I can think of two issues that could cause this behavior:

1. The hosts are not routing their responses to the Concentrator. They are receiving the traffic from the ASA end but when they

respond to that traffic they use a default gateway that is not the Concentrator, so this device would never have the traffic to encrypt

and send over to the ASA. You can modify your default gateway's routing to redirect this specific traffic to the Concentrator or

add static routes to the host so they send the traffic directly to the VPN3030.

2. The concentrator has another previously established tunnel whose interesting traffic overlaps with this new tunnel. Since the

the other tunnel was established fist the SA's it generated will be used to encrypt this traffic. Double check all the other IPSEC SA's

and if there is overlapping change the interesting traffic to avoid this situation.

A simple test you can try is do a PING test from the Concentrator to the ASA's inside interface, if it works fine then reason number

1 is most likely the cause of this problem.

Regards,

Rick.