cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
673
Views
0
Helpful
7
Replies

Connectivity issue over VPN tunnel.

forman102
Level 1
Level 1

Hi,

I have site to site tunnel between Cisco 3000 VPN concentrator and PIX506. I will be moving it to new ASA5510, so the tunnel will be established between ASA and PIX. After inistial testing, I found that one box on remote network (time clock lol) is dropping connectivity while tunneling between Pix and ASA (works fine with concentrator). Is all of the traffic allowed thru the VPN tunnel built on ASA? I understand that it should be as long as the tunnel is up and running, correct? (note: the remote clock is using TCP ports 8888 and 8889 to communicate with server)

thanks

1 Accepted Solution

Accepted Solutions

If there's no filter, again all traffic should be permitted.

You don't need to chose L2TP as the connection is pure IPsec.

If you want, you can post your configurations to check them out (you can remove the sensitive information)

Federico.

View solution in original post

7 Replies 7

Hi,

Normally all IP traffic is permitted through the tunnel (unless there are some filters), all TCP/UDP traffic is permitted through.

The tunnel never goes down when this happens?

Only that specific connection goes down?

Federico.

Yes, this is the only issue I had encountered while testing. The server connects to the clock over the tunnel to collect transactions. It works thru old tunnel, fails with new one... even thought I am able to ping/traceroute it thru new tunnel (tunnel stays up and running).

Ok, so through the new tunnel it works but it disconnects? Or it never works?

How often does it disconnects?

Federico.

Sorry for the confusion.It never worked through new tunnel (I mean server cannot communicate with the clock (over TCP port 8888 and 8889) , even though tunnel is up and running and all other nodes communicate ok i.e. mail, telnet, web). Everything works through old tunnel (3000 concentrator and PIX), so I wanted to make sure that ports 8888 8889 are not being blocked when traffic goes thru VPN tunnel between ASA and PIX.  

If you just setup the tunnel normally, this traffic won't be blocked.

The ASA has a filter that could be applied to the group-policy for a tunnel.

Check the group-policy that is being used to make sure there are no vpn-filters applied.

Can you reach that same server through any other traffic (for example PING) through this new tunnel?

Federico.

There's no filter applied. I checked it via ASDM. I'm not using DfltGrpPolicy though. I had created new policy for this tunnel... should I configure it to use L2TP/IPSEC only? or both IPSec and L2TP/IPSec? What will happen if "inherit" option is checked for Tunneling Protocols (ASDM 6.2)?

I can also ping/traceroute all remote devices thru new tunnel.

If there's no filter, again all traffic should be permitted.

You don't need to chose L2TP as the connection is pure IPsec.

If you want, you can post your configurations to check them out (you can remove the sensitive information)

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: