Site to Site ASA VPN, 1 subnet only working 1 way

Unanswered Question
Nov 24th, 2011

Hi

I have a 5505 connected to 5510 via a site to site VPN, the vpn has 5 subnets on the acl list at both ends, but 2 of the subnets are assigned for remote access on the main 5510, which means the flow of traffic on these 2 subnets are main to remote, but the VPN only works if the traffic starts from remote to main.

both sides are set to bidirectional and I'm not sure if this is the case for all 5 subnets has remote site always sends data to the other 3 subnets first.

Any ideas?

Thanks

Kev

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
ktwaddell Thu, 11/24/2011 - 08:56

Hi

Yes it is, the subnets are apart of the same nat acl at both ends.

At home now, so would have to post the config tomorrow morning if no one knows what it is by then.

Just to confirm the VPN comes up fine, but traffic only flows both ways once the remote end starts it off.

Thanks

Kev

mopaul Fri, 11/25/2011 - 04:25

seems like you have overlapping subnets on main site (ASA5510) which might have more than one tunnels terminating on it, will review the config from ASA5505 and ASA 5510 once u post them

ktwaddell Fri, 11/25/2011 - 04:53

how do I attached the config, I have button for url, image and video., but no file/document icon

mopaul Fri, 11/25/2011 - 05:29

yeah, even i don't see it here... pardon me, i am back on forums after more than a year and yet to familiar with this make over.

see if you can paste the configuration here... i am looking for IP/interfaces , VPN, and NAT... rest other configurations can be removed...

ktwaddell Wed, 12/07/2011 - 23:41

Hi

Sorry I was waiting for a change window to remove over lapping subnets I had on the VPN, however this hasn't sorted it.

well i found out how to attach a text file, just edit the post and it lets you do it!!!

Reminder

VPN is up, but can't access the remote site subnet until the remote makes a connection 1st.

main site config

thanks

kev

mudjain Fri, 11/25/2011 - 10:18

Please check if the remote site is behind a NATing device, if so, is there a portforwarding for UDP 500 and 4500 configured or not, if not please do that and life should be good.

static 1 to 1 nat with public peering IP is obviously good.

make sure Nat-traversal is enabled on either end.

Please post output of show crypto IPSEC sa when the tunnel is established from the site where you cannot establish tunnel from and show vpn-sessiondb detail L2L filter ip .

Also please mention if there is another firewall in between tunnel initiable site and ISP.

Actions

Login or Register to take actions

This Discussion

Posted November 24, 2011 at 2:38 AM
Stats:
Replies:7 Avg. Rating:
Views:1393 Votes:0
Shares:0
Categories: ASA
+

Related Content

Discussions Leaderboard