Unable to access internal resources for site-to-site VPN

Answered Question
Aug 23rd, 2010

We have two ASA's.  We just setup site-to-site VPN.  For some reasons, we are not able to access the internal resources at the Main office from the Remote office.  Do you have any suggestions?  Thanks.

I have this problem too.
0 votes
Correct Answer by Jitendriya Athavale about 6 years 5 months ago

as wu suggested, please first confirm that the tunnel is up properly

"sh cry isa sa" -> will tell u if phase 1 is up

"sh cry ips sa" ->will tell if phase 2 is up

now once they r up, when u ping from site a to site b

you should see encaps in site a and decaps in site b for traffic from a to b and vice versa for the return traffic

now we need to see where it is failing

it could be tht the packet is coming till the asa but not getting encrypted or that the packet is not coming to the asa itself

u can run packet tracer to see if it is getting encapsulated or in other words hits vpn tunnel

it could be a nat issue, and sometime if at all it is a new setup probably isp could have blocked esp traffic in one direction or either direction

the best to approach this is enable "management-access inside" on both firewalls and do a source ping from asa's

ping inside

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Yudong Wu Mon, 08/23/2010 - 15:33

It is most likely that there is a routing or NAT 0 issue.

If you capture multiple "show cry ipsec sa" on both sides, did you see encry/decry count incrementing?

Please paste your configuration from both sides if you would like us to check it for you.

Correct Answer
Jitendriya Athavale Tue, 08/24/2010 - 07:39

as wu suggested, please first confirm that the tunnel is up properly

"sh cry isa sa" -> will tell u if phase 1 is up

"sh cry ips sa" ->will tell if phase 2 is up

now once they r up, when u ping from site a to site b

you should see encaps in site a and decaps in site b for traffic from a to b and vice versa for the return traffic

now we need to see where it is failing

it could be tht the packet is coming till the asa but not getting encrypted or that the packet is not coming to the asa itself

u can run packet tracer to see if it is getting encapsulated or in other words hits vpn tunnel

it could be a nat issue, and sometime if at all it is a new setup probably isp could have blocked esp traffic in one direction or either direction

the best to approach this is enable "management-access inside" on both firewalls and do a source ping from asa's

ping inside

Actions

This Discussion