We just starting running into an issue where if we go into administer sessions and try to ping a client it will come back as unreachable. We use split tunneling and have an internal network list for the clients. What we have to do is first have the remote client ping the concentrators address (to create the SA to that network) and then we can ping from the concentrator back to that client. The thing is we can figure out what might have changed that caused this. We never used to have to create that SA to the concentrator before doing a ping to the clients. Shouldn't that association be created when the client comes in to get its address and what not? How can the concentrator not know its there until we create the SA to that network? Anyone have any idea what might have changed that caused this?
I can't really see what the problem might be. What you can do however is to see if you can ping the client otherwise, i.e. without using VPN. That would atleast reduce the problem to reachability at the client's end or at the concentrator end. Another reason might be the presence of a PIX on the remote end... actually this seems to be the most likely reason for this behaviour. If you indeed do have a PIX on the remote end, configure it to allow incoming sessions from the concentrator.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...