08-09-2012 11:59 AM - edited 03-11-2019 04:40 PM
Gettting this log event. This device worked fine using a point to point T1. Ever since we moved to a IPSEC tunnel, this device cannot communicate. Any help is greatly appreciated.
08-09-2012 01:33 PM
Aug 09 2012 20:22:34: %ASA-7-106100: access-list INSIDE-OUTBOUND permitted tcp inside/10.115.0.176(3001) -> outside/172.29.150.11(49814) hit-cnt 1 first hit [0xa58ce2e1, 0x0]
Aug 09 2012 20:22:34: %ASA-7-609001: Built local-host inside:10.115.0.176
Aug 09 2012 20:22:34: %ASA-7-609001: Built local-host outside:172.29.150.11
Aug 09 2012 20:22:34: %ASA-6-106015: Deny TCP (no connection) from 10.115.0.176/3001 to 172.29.150.11/49814 flags SYN ACK on interface inside
Aug 09 2012 20:22:34: %ASA-7-609002: Teardown local-host inside:10.115.0.176 duration 0:00:00
Aug 09 2012 20:22:34: %ASA-7-609002: Teardown local-host outside:172.29.150.11 duration 0:00:00
Aug 09 2012 20:22:34: %ASA-7-106100: access-list INSIDE-OUTBOUND permitted tcp inside/10.115.0.175(3001) -> outside/172.29.150.11(49813) hit-cnt 1 first hit [0xa58ce2e1, 0x0]
Aug 09 2012 20:22:34: %ASA-7-609001: Built local-host inside:10.115.0.175
Aug 09 2012 20:22:34: %ASA-7-609001: Built local-host outside:172.29.150.11
Aug 09 2012 20:22:34: %ASA-6-106015: Deny TCP (no connection) from 10.115.0.175/3001 to 172.29.150.11/49813 flags SYN ACK on interface inside
08-09-2012 06:17 PM
Hello Matthew,
Please configure the following:
access-list test permit tcp 10.115.0.0 255.255.255.0 172.29.150.0 255.255.255.0
class-map test
match access-list test
policy-map global_policy
class test
set connection advanced-options tcp-state-bypass
Then give it a try!
Regards,
08-13-2012 01:59 PM
Thanks for that.
What about this one?
Aug 13 2012 20:52:49: %ASA-6-110003: Routing failed to locate next hop for udp from NP Identity Ifc:10.115.0.196/65535 to inside:10.5.0.10/31488.
08-13-2012 02:46 PM
Hello Matthew,
That is a routing problem,
Does the ASA know how to get to those subnets?
Regards,
Julio
08-15-2012 07:02 AM
Hello Julio,
We only have
route outside 0.0.0.0 0.0.0.0 X.X.X.X 1
for those networks on the otherside. Should we put those routes in specifically in even though we are also using a GRE tunnel for eigrp?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: