Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
393
Views
0
Helpful
1
Replies

Trouble Pinging Across a SITE TO SITE VPN LINK ASA

Charlie Mayes
Level 1
Level 1

‎06-22-2010 05:01 PM

                          Hello All,

                                      I am pinging a host on the across the VPN tunnel. I do a sh crypto isakmp sa on the Local ASA and I see that all my traffic is encrypted but there is not decrypted traffic come back to the local ASA. I then log in to the remote ASA and see decrypted traffic received from the local ASA but there is not encrypted traffic going back across the tunnel. Why is that?

Labels:
0 Helpful
1 Reply 1

Jorge Salas
Cisco Employee
Cisco Employee

‎06-22-2010 10:19 PM

Well there are many reasons, but let me write a few of them.

1. You do not have a NAT 0 statement in the remote ASA.

2. You have a different route in the remote ASA for the "LOCAL ASA" network.

  - Or also a route beyond the remote ASA not sending the traffic back properly.

3. There is security rule in the ASA dropping the packets

  - Like a FW rule or something.

  - Or an ACL in the inside or even the outside (maybe sysopt connection permit vpn is off and you need to explicitly let the traffic in the ACL )

4. Maybe another tunnel with the same source and destination. (also look for incomplete configurations)

5. Maybe you are hitting the BUG related to the ASA stopping to encrypt (a reload should alleviate the issue)

Of course to detect if you are matching any of this possible scenarios a troubleshooting is necessary.

You can use the packet tracer command and also a capture for the type asp-drop, sourced ping, debug icmp trace, etc...

0 Helpful
Customers Also Viewed These Support Documents