VPN Issues

Unanswered Question
Mar 22nd, 2012
User Badges:


  • I have setup a VPN through my ASA for my branch routers,  Branch routers are on ADSL link and they are initiating the connection and they are able to connect to HO.On my ASA i have created dynamic-map which accepts connection dynamically.The problem is i can't initiate a connection from ASA to Branch router and also when branch routers are connected to HO when the tunnel is up though i m not able to telnet or ping to the remote branch routers??????
  • I also face this issue with site-site VPN.

Below is packet tracer for ping:

Phase: 1


Subtype: input

Result: ALLOW


Additional Information:

in         outside

Phase: 2



Result: ALLOW


Additional Information:

Phase: 3


Subtype: np-inspect

Result: ALLOW


class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 4     


Subtype: np-inspect

Result: ALLOW


Additional Information:

Phase: 5     

Type: NAT    


Result: ALLOW


nat (inside,outside) source static obj- obj- destination static ABC-subnet ABC-subnet no-proxy-arp route-lookup

Additional Information:

Static translate to

Phase: 6     

Type: VPN    

Subtype: encrypt

Result: DROP 


Additional Information:


input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop 

Drop-reason: (acl-drop) Flow is denied by configured rule

I dont understand why result is drop due to acl, i have kept open from HO to Branch on specific subnets and this packet tracer is from the subnet which is permited everything to the remote branch.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jouni Forss Fri, 03/23/2012 - 00:37
User Badges:
  • Super Bronze, 10000 points or more


I guess the routers are acting as remote VPN Clients in this setup?

To my understanding only the routers can initiate the VPN connection but as you said you are facing other problems too

Ive personally configured some ezvpn clients on 800 and 1800 -series routers and some 5505 ASAs as hardware VPN clients. But I haven't had problems with the traffic after the initial setup.

What does the "show crypto ipsec sa" command show on the ASA when the VPN connection is up?

Does the VPN configuration have any kind of "split-tunneling" configured that might cause the problems with the connections?

It would be helpfull in these kind of cases if you could attach configurations from each end. For me atleast this is just a guessing at the moment.

- Jouni

jack samuel Fri, 03/23/2012 - 01:07
User Badges:


  • Can we initiate a connection from HO to branch if the HO ASA is configured for dynamic connection??
  • Can you tell me what the packet tracer No:6 is saying, I guess it is encrypting traffic but why it is dropping packet.


prashantrecon Fri, 03/23/2012 - 01:23
User Badges:

Hi Jouniforss

Same problem i am facing

when i excute show crypto isakmp sa

Phase 1 is up

But when i excute show crypto   ipsec sa

It doesnot show any thing

Far end is 1800 router and our is firewall

As checked both side access-list, transformset is matching.

Jouni Forss Fri, 03/23/2012 - 02:16
User Badges:
  • Super Bronze, 10000 points or more



From what I understand you can only establish the VPN connection from ASAs side when its a L2L VPN. With ezvpn and hardware VPN clients, the client device is usually configured to automatically connect to the central VPN device when it has a internet connection. Though there is an option to manually give the username/password during connecting on the CLI. (atleast with routers)

About the VPN phase

I've onlyconfigured L2L VPN recently and in those cases the error message has usually related to the fact that the VPN connection isnt establishing for the connection you are testing. Usually means that the VPN settings dont match. Then again you are using the routers as VPN Clients so I'd guess the error is related to the fact that ASA cant initiate the connection to the client. The Client has to initiate the connection VPN connection first to give access to the remote networks.

Sorry, this is mostly me guessing. I don't really have a solid understanding of these types of VPN

jack samuel Thu, 03/29/2012 - 15:16
User Badges:


When my branch routers intresting traffic initiate a connection to HO then only intresting traffic subnets from HO are able to initiate a connection.

For example:

Interesting traffic in HO &

Interesting traffic in Branch

If suppose a pc in initiate a connection to then only any other PC in can initiate a connection to branch in

If a PC in want to initiate a connection to another subnet of branch suppose the PC gets request timeout BUT if any PC in initiate a connection to then PC's from subnet are also able to reach

Is this normal behaviour for one side static and another side dynamic IPSEC vpn.


This Discussion