Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN-tunnel working only one way

I have a strange problem when setting up an ipsec-tunnel between my ASA 5520 and a remote peer. The tunnel comes up fine and when I am initiating traffic from my side everything is working fine, I can log into SAP and worh in the system. But if I try to initiate traffic from the remote site, i.e. send a print from the remote system to a printer on my local site that does not work. The tunnel is already up and running, but it seem the the remote peer try to start a new tunnel. I really need help on this, the included attachment shows some of the debug-output from my ASA when the remote system initiate some traffic.

Aften a while the ASA logs something like "All SA are unacceptable"

I have been running the same config against the same peer for years without problems, but I cannot get it to work on the ASA.

I think that the fact that the tunnel comes up and that I can reach the remote system shows the transform-sets, PFS-values and other paramteres are correct?

Any tips?

Cisco Employee

Re: VPN-tunnel working only one way

Double check the crypto map match address statements (crypto ACLS). Make sure that there are no overlaps with other peers crypto acls, that youre not landing on the dynamic map entry in one direction, and also make sure for your peer that on both sides of the tunnel they have the exact same crypto acl mirrored (pay special attention to the subnet masks that you have defined as well)

CreatePlease to create content