×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

TCP Not Working over LAN 2 LAN Tunnel

Answered Question
Jul 15th, 2006
User Badges:

I have a L2L tunnel established between a pix and 3020. Everything is working but TCP. I did a lot of tinkering on the 3000 running 4.7 and could have inadvertently caused this, perhaps? The ACLS and debugs on the pix/router side are showing TCP is passing on that end.

Correct Answer by hemendoz about 11 years 1 month ago

Hello 9s.pappas,


Can you post your acl? If I recall, there is no concept of protocol on the VPN3K. That is, when you define your "crypto acl" you use only network lists. I would change the acl on the pix to reference ip.


Also, any chance you could run a sniffer on a host on the VPN3K side, and send TCP traffic from the router side to see if you see a SYN packet on the remote host? That may yield more clues.


Hope this helps! If so, please rate.


Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
hemendoz Sat, 07/15/2006 - 19:28
User Badges:
  • Cisco Employee,

Hello 9s.pappas,


Can you post your acl? If I recall, there is no concept of protocol on the VPN3K. That is, when you define your "crypto acl" you use only network lists. I would change the acl on the pix to reference ip.


Also, any chance you could run a sniffer on a host on the VPN3K side, and send TCP traffic from the router side to see if you see a SYN packet on the remote host? That may yield more clues.


Hope this helps! If so, please rate.


Thanks


9s.pappas Sun, 07/16/2006 - 11:42
User Badges:

I'll check this out with my partner on the other end and see what he says about his acl. I think this confirms for me that the VPN3K really only forwards packets and doesn't do much in the way filtering at the protocol level. I'm pretty sure once we get the acls on his pix and router staightened out, we'll be working. I'll followup once I know. I appreciate your response.

9s.pappas Mon, 07/17/2006 - 07:40
User Badges:

It ended up being a checkpoint problem on my end. Clear it up and things are working when I pushed a new rule. Thanks for the confirmation that the VPN3K doesn't do protocol filtering, it helped me elimiate the VPN3K.

Actions

This Discussion