Trouble Pinging Across a SITE TO SITE VPN LINK ASA

Unanswered Question
Jun 22nd, 2010
User Badges:

                          Hello All,

                                      I am pinging a host on the across the VPN tunnel. I do a sh crypto isakmp sa on the Local ASA and I see that all my traffic is encrypted but there is not decrypted traffic come back to the local ASA. I then log in to the remote ASA and see decrypted traffic received from the local ASA but there is not encrypted traffic going back across the tunnel. Why is that?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jorge Salas Tue, 06/22/2010 - 22:19
User Badges:
  • Cisco Employee,

Well there are many reasons, but let me write a few of them.

1. You do not have a NAT 0 statement in the remote ASA.

2. You have a different route in the remote ASA for the "LOCAL ASA" network.

  - Or also a route beyond the remote ASA not sending the traffic back properly.

3. There is security rule in the ASA dropping the packets

  - Like a FW rule or something.

  - Or an ACL in the inside or even the outside (maybe sysopt connection permit vpn is off and you need to explicitly let the traffic in the ACL )

4. Maybe another tunnel with the same source and destination. (also look for incomplete configurations)

5. Maybe you are hitting the BUG related to the ASA stopping to encrypt (a reload should alleviate the issue)

Of course to detect if you are matching any of this possible scenarios a troubleshooting is necessary.

You can use the packet tracer command and also a capture for the type asp-drop, sourced ping, debug icmp trace, etc...


This Discussion