Julio,

Site A ASA show run route

route inside inside-network 255.255.252.0 10.255.255.254 1

route inside x.x.x.x (VLAN 1 IP) 255.255.0.0 10.255.255.254 1

route inside x.x.x.x (VLAN 2 IP) 255.255.0.0 10.255.255.254 1

route inside x.x.x.x (VLAN 3 IP) 255.255.0.0 10.255.255.254 1

route outside Site B-network 255.255.0.0 x.x.x.x 1 (Site A Host)

route outside Site C-network 255.255.0.0 x.x.x.x 1 (Site A Host)

That's the thing I don't understand.. Site C network got similar setting as Site B on Site A ASA and it is working fine... =(

Thanks!

Hello,

Yes, I understand what you mean. Can you check the transform-set used on the Site A with the Site B transform set?

Regards,

Julio

Julio,

What command do you want me to type in to check on the transform set?

Thants the thing.. I don't think the probelm is on the site-to-site VPN settings because the tunnel works fine as long as Site B established the connections first by Pinging/connectiong to anything from Site A. Site B and Site C are using the same Site to site VPN Group Policy on Site A ASA.

Thanks!

Hello IT,

Correct, but the thing is the packet tracer shows that everything is working fine on this site (A). So my next question would be:

Is site B receiving the traffic?

For that you can do a capture from one host on site A to one host on site B

access-list test permit ip host_A_ip host_b_ip

access-list test permit ip host_b_ip  host_A_ip

capture capin access-list test interface inside

You should do this configuration on both ASAS.

Then do a Show cap capin on both ASAs, and provide the output.....

Regards,

Julio

Julio,

I did the following on both ASA

Site A ASA HQ

Access-list test permit ip host x.x.x.x (Site A Host IP) host x.x.x.x (Site B Host IP)

Access-list test permit ip host x.x.x.x (Site B Host IP) host x.x.x.x (Site A Host IP)

Capture capin access-list test interface inside

Site B ASA Branch

Access-list test permit ip host x.x.x.x (Site B Host IP) host x.x.x.x (Site A Host IP)

Access-list test permit ip host x.x.x.x (Site A Host IP) host x.x.x.x (Site B Host IP)

Capture capin access-list test interface inside

then type in show cap capin on both ASA and get the following results.

Result of the command: "show cap capin"

0 packet captured

0 packet shown

Anything am I missing?

Hello,

Did you send some traffic from Site A Host IP to the host on site B???

You should get some traffic at least on Site A?

Regards,

Julio

Julio,

I changed the IP to the following, did the ping /t between and get the following response.

Site A ASA HQ

Access-list test permit ip host x.x.x.x (Site A My PC IP) host x.x.x.x (Site B Server IP)

Access-list test permit ip host x.x.x.x (Site B Server IP) host x.x.x.x (Site A My PC IP)

Capture capin access-list test interface inside

Site B ASA Branch

Access-list test permit ip host x.x.x.x (Site B Server IP) host x.x.x.x (Site A My PC IP)

Access-list test permit ip host x.x.x.x (Site A My PC IP) host x.x.x.x (Site B Server IP)

Capture capin access-list test interface inside

Site A ASA HQ

Result of the command: "show cap capin"

   1: 16:40:23.785588 (Site A My PC IP).51262 > (Site B Server IP).3389: . ack 227846090 win 253

   2: 16:40:24.644757 (Site A My PC IP)> (Site B Server IP): icmp: echo request

   3: 16:40:24.788624 (Site A My PC IP).51262 > (Site B Server IP).3389: . ack 227846143 win 258

   4: 16:40:25.645810 (Site A My PC IP)> (Site B Server IP): icmp: echo request

3706 packets captured

Site B ASA Branch

show cap capin

   1: 08:31:37.574692 (Site B Server IP).3389 > (Site A My PC IP)..51262: P 3045221942:3045221995(53) ack 1733105712 win 255
   2: 08:31:37.837526 (Site A My PC IP).> (Site B Server IP):: icmp: echo request
   3: 08:31:37.837725 (Site B Server IP): > (Site A My PC IP).: icmp: echo reply
   4: 08:31:37.954860 (Site A My PC IP)..51262 > (Site B Server IP):.3389: . ack 3045221995 win 254

3706 packets captured

Hello IT.

On the capture we can see that the Site B is receiving the traffic from site A, then that traffic is being decrypted sent to the inside interface to the host, The host replies and the packet never reaches the Site A, that is our problem here,

I think the fastest way to solve this issue would be seeing the configuration of boths ASAs site A and Site b, you can change some of the parts of the configuration due to security purposes.

That will makes this troubleshooting ticket  faster

Regards,

Julio

Julio,

1. Site B Branch is receiving the traffic from Site A HQ

2. Site B Branch decrypted the traffic and then sent to the Site B Branch inside interface to the host

3. The host from Site B Branch replied the packet never reaches to Site A HQ

In the other words.

1. (Site B Server PC) is receiving traffic (ping for example) from (Site A My PC IP)

2. (SIte B Server PC) decrypted the traffic (ping) and then sent it to the Site B Branch inside interface to the host

3. (SIte B Server PC) replied never reached to (Site A My PC IP)

Is that what you means? Can you explain more about it? I don't really understand.

Is that possible I can just PM the configuration files from two sites?

THANKS!

Hello IT,

Yes, that is what happening, we are not seeing the traffic getting into the inside interface of siteA.

That is why I would like to check both ASAs configuration.

Regards,

Julio

Julio,

I am going to PM you the configuration for Site B now.. and Site A late today!!

Thanks again for all yoru help!

IT

Please Check PM!

Thanks!!!

Hello IT,

ok I will!