cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
539
Views
0
Helpful
7
Replies

asa<->ios l2l vpn issue - oneway data

creatorizh
Level 1
Level 1

Topology

10.23.26.2---\

-------------WAN-asa 5520

10.23.26.198-/

10.23.26.2 has subnet 172.16.16.0/24, asa - 192.168.10.0/24

10.23.26.2#ping ip 192.168.10.212 so 172.16.16.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.10.212, timeout is 2 seconds:

Packet sent with a source address of 172.16.16.1

.....

Success rate is 0 percent (0/5)

But I see both requests and reply on asa

asa# ICMP echo request from outside:172.16.16.1 to inside:192.168.10.212 ID=48 seq=0 len=72

ICMP echo reply from inside:192.168.10.212 to outside:172.16.16.1 ID=48 seq=0 len=72

But when I simply change 10.23.26.2 to 10.23.26.198 in asa - tunnel work succesfully in both directions.

I dont have any ideas, any possible solutions doesn't help: reverse-route, df, tcp adjust-mss.

Please help - where I'm wrong?

7 Replies 7

a.alekseev
Level 7
Level 7

clear crypto isakmp sa

clear crypto ipsec sa

conf t

logg on

logg mon 7 (or logg con 7)

deb crypto ipsec

deb crypto isakmp

thanks for your attention

debug attached

try to ping and

show "sh crypto ipsec sa" on both sides

ok, and "debug crypto engine 127" icluded

looks like all ok with the VPN

are you able to ping 192.168.10.212 from 192.168.10.0/24 network?

>are you able to ping 192.168.10.212 from 192.168.10.0/24 network?

yes, and as I wrote in first message icmp reply arrived to asa

#debug icmp trace

ICMP echo request from outside:172.16.16.1 to inside:192.168.10.212 ID=48 seq=0 len=72

ICMP echo reply from inside:192.168.10.212 to outside:172.16.16.1 ID=48 seq=0 len=72

Logging of denied packets was enabled, and no any dropped pings at this time (only normal messages about built/teardown connection are logged).

Router doesn't received this reply.

no firewalling on it, checked with "debug ip packets" and "debug crypto engine pack".

I cannot check this now, but it looks like asa sends reply to outside interface w/o tunneling.

When remote peer is 10.23.26.198, routing of the same subnet (172.16.16.0) into tunnel works fine.

internal topology (asa site)

10.23.26.6/30 (outside Gig0/1 asa)-10.10.10.2/30 (inside gig 0/0 asa) <->10.10.10.1/30 (gig eth, cat3560)-192.168.10.212/24 (vlan 1, cat3560)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: