I am required to setup a L2L vpn tunnel on our ASA firewall to a 3rd Party that we need to access for administration (they won’t setup a remote access one), this needs to be accessible by engineers in the field so I have setup a remote access VPN for our engineers to connect to our firewall these then have access (hairpinning) over the L2L VPN to the 3rd Party.
The firewalls are ASA’s at both ends (I’ve no access to the 3rd parties ASA) ours is running 9.1(4).
The L2L VPN is for accessing PBX equipment, so although the L2L tunnel is bi-directional it is only ever initiated from our end.
The engineers remote access VPN’s connect without problem.
However there is a strange issue with the L2L VPN which I can’t find the cause of.
The first time the L2L VPN is accessed (after an ASA reboot or it’s left for a day or so) all is well, (a remote access VPN user tries to connect to the PBX equipment, it brings the L2L tunnel up and they can access the remote equipment no problem).
However when the remote access user disconnects and the L2L tunnel is left unused it drops after approx 30 mins, if a user then tries to connect again soon after it won’t bring the L2L tunnel up.
(I thought it might be a bug but I’ve tried it on 8.4(2), 8.4(4) and 9.1(4) and the issue is the same on all versions).
A debug of what happens when a remote access VPN user tries to bring the L2L VPN up and it fails is below……
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...