I have a serios problem debugging an Site-toSite VPN Tunnel issue and hope to find some help here.
Let me first explain the preconditions:
The tunnel is established between ASA5505 and ASA5510. On both devices runs the 8.4.1 Software. On ASA5510 site I use B-Class network devided in several C-Class networks (172.20.0.0/16 devidet in 172.20.10.0/24, 172.20.20.0/24 and so on). The other site is a smaller Network with 172.16.1.1/28.
I created on both sites the tunnel specific configuration and everything work's fine, the tunnel comes up and traffic flows.
So far so good, but now the problem:
After adding one more C-Class network to the cryptomaps, there was no traffic flow possible between this C-Class network and the other Site, the other traffic flows like before. Exchanging this C-Class network by another everything is fine, traffic flows. If I substitute in my cryptomaps all the C-Class networks with the B-Class network, I was able to pass traffic from the non-working C-Class network to the other Site.
So, only this one specific C-Class network won't work properly.
I begin to debug this by myself but become stuck on this point
ciscoasa# packet-tracer input inside icmp 172.16.1.3 8 0 172.20.10.1 detailed
…#All other Phases passed with allowed.
Forward Flow based lookup yields rule:
out id=0xcb8e0270, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0xcb3d34f8, reverse, flags=0x0, protocol=0
src ip/id=172.16.1.0, mask=255.255.255.240, port=0
dst ip/id=172.20.10.0, mask=255.255.255.0, port=0, dscp=0x0
Drop-reason: (acl-drop) Flow is denied by configured rule
The other sites output is identicly, expect the src and dst are switched
How can I find the rule which is the reason for the dropped Packages? Do you have any other advices for me, debugging this problem?
Please let me know anymore info that is needed.