Solved: Re: TCP Not Working over LAN 2 LAN Tunnel

9s.pappas · ‎07-15-2006

I have a L2L tunnel established between a pix and 3020. Everything is working but TCP. I did a lot of tinkering on the 3000 running 4.7 and could have inadvertently caused this, perhaps? The ACLS and debugs on the pix/router side are showing TCP is passing on that end.

hemendoz · ‎07-15-2006

Hello 9s.pappas,

Can you post your acl? If I recall, there is no concept of protocol on the VPN3K. That is, when you define your "crypto acl" you use only network lists. I would change the acl on the pix to reference ip.

Also, any chance you could run a sniffer on a host on the VPN3K side, and send TCP traffic from the router side to see if you see a SYN packet on the remote host? That may yield more clues.

Hope this helps! If so, please rate.

Thanks

View solution in original post

hemendoz · ‎07-15-2006

Hello 9s.pappas,

Can you post your acl? If I recall, there is no concept of protocol on the VPN3K. That is, when you define your "crypto acl" you use only network lists. I would change the acl on the pix to reference ip.

Also, any chance you could run a sniffer on a host on the VPN3K side, and send TCP traffic from the router side to see if you see a SYN packet on the remote host? That may yield more clues.

Hope this helps! If so, please rate.

Thanks

9s.pappas · ‎07-16-2006

I'll check this out with my partner on the other end and see what he says about his acl. I think this confirms for me that the VPN3K really only forwards packets and doesn't do much in the way filtering at the protocol level. I'm pretty sure once we get the acls on his pix and router staightened out, we'll be working. I'll followup once I know. I appreciate your response.

9s.pappas · ‎07-17-2006

It ended up being a checkpoint problem on my end. Clear it up and things are working when I pushed a new rule. Thanks for the confirmation that the VPN3K doesn't do protocol filtering, it helped me elimiate the VPN3K.