I have a customer that has a L2L VPN between their sites established with two ASAs. From time to time they complain about the VPN going down but I see no logs indicating this on the firewall and the tunnel is always up and working fine when i log in. I would like to setup an IPsla on each ASA to monitor the other ASA though the VPN. Is this possible? Currently when I try I can't ping from the local ASA through the tunnel even through I'm sourcing from an interface that is inside of the crypto map statement. I just get the below, thoughts? I added an ACL on inside1-db to allow all traffic (IP) from host 10.23.139.229 to 10.20.159.229 but still I get the same results on a packet tracer. What am i missing or is this just not possible? Obviously hosts on these networks can communicate to one another just fine across the VPN (example: 10.23.139.18 can talk to 10.20.159.10 no problem).
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a66bf80, priority=1, domain=permit, deny=false
hits=880163930, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside1-db, output_ifc=any
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside1-db,outside-acl) source static obj-10.23.139.0 obj-10.23.139.0 destination static ng-vpn_nat_exempt ng-vpn_nat_exempt no-proxy-arp
Additional Information:
NAT divert to egress interface outside-acl
Untranslate 10.20.159.229/0 to 10.20.159.229/0
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff29401dd0, priority=500, domain=permit, deny=true
hits=5, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.23.139.229, mask=255.255.255.255, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0,, dscp=0x0
input_ifc=inside1-db, output_ifc=any
Result:
input-interface: inside1-db
input-status: up
input-line-status: up
output-interface: outside-acl
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule