Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

asa<->ios l2l vpn issue - oneway data

Topology

10.23.26.2---\

-------------WAN-asa 5520

10.23.26.198-/

10.23.26.2 has subnet 172.16.16.0/24, asa - 192.168.10.0/24

10.23.26.2#ping ip 192.168.10.212 so 172.16.16.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.212, timeout is 2 seconds:

Packet sent with a source address of 172.16.16.1

.....

Success rate is 0 percent (0/5)

But I see both requests and reply on asa

asa# ICMP echo request from outside:172.16.16.1 to inside:192.168.10.212 ID=48 seq=0 len=72

ICMP echo reply from inside:192.168.10.212 to outside:172.16.16.1 ID=48 seq=0 len=72

But when I simply change 10.23.26.2 to 10.23.26.198 in asa - tunnel work succesfully in both directions.

I dont have any ideas, any possible solutions doesn't help: reverse-route, df, tcp adjust-mss.

Please help - where I'm wrong?

7 REPLIES

Re: asa<->ios l2l vpn issue - oneway data

clear crypto isakmp sa

clear crypto ipsec sa

conf t

logg on

logg mon 7 (or logg con 7)

deb crypto ipsec

deb crypto isakmp

New Member

Re: asa<->ios l2l vpn issue - oneway data

thanks for your attention

debug attached

Re: asa<->ios l2l vpn issue - oneway data

try to ping and

show "sh crypto ipsec sa" on both sides

New Member

Re: asa<->ios l2l vpn issue - oneway data

ok, and "debug crypto engine 127" icluded

Re: asa<->ios l2l vpn issue - oneway data

looks like all ok with the VPN

are you able to ping 192.168.10.212 from 192.168.10.0/24 network?

New Member

Re: asa<->ios l2l vpn issue - oneway data

>are you able to ping 192.168.10.212 from 192.168.10.0/24 network?

yes, and as I wrote in first message icmp reply arrived to asa

#debug icmp trace

ICMP echo request from outside:172.16.16.1 to inside:192.168.10.212 ID=48 seq=0 len=72

ICMP echo reply from inside:192.168.10.212 to outside:172.16.16.1 ID=48 seq=0 len=72

Logging of denied packets was enabled, and no any dropped pings at this time (only normal messages about built/teardown connection are logged).

Router doesn't received this reply.

no firewalling on it, checked with "debug ip packets" and "debug crypto engine pack".

I cannot check this now, but it looks like asa sends reply to outside interface w/o tunneling.

When remote peer is 10.23.26.198, routing of the same subnet (172.16.16.0) into tunnel works fine.

New Member

Re: asa<->ios l2l vpn issue - oneway data

internal topology (asa site)

10.23.26.6/30 (outside Gig0/1 asa)-10.10.10.2/30 (inside gig 0/0 asa) <->10.10.10.1/30 (gig eth, cat3560)-192.168.10.212/24 (vlan 1, cat3560)

166
Views
0
Helpful
7
Replies
CreatePlease to create content