I've got my ASA 5505 acting as an EasyVPN server and I have multiple remote clients configured and I can pass traffic to all of them from my 10.10.0.0 /16 subnet except to a single remote client (10.154.139.0 /24).
When I check my ezvpn1 access-list everything looks in order. When I do a traceroute from the 10.10.0.0/16 subnet I can see that the traffic is reaching the outside interface of the ASA server, but it's not hitting the Internet next hop, so I know it's getting picked up for nonat, but for some reason it's not getting picked up and sent across the tunnel. I've included my config if anyone can take a look and see why traffic from 10.10.0.0 /16 is not getting sent across the tunnel bound for 10.154.139.0 /24.
Can you access the other side device? Are you sure that remote system is not natting your traffic back or sending it to the internet instead of across the return tunnel? I'd check the remote side and make sure the traffic got there, decrypted, and was processed. Then check if it re-encrypts back out, or if it just sends it out to the internet incorrectly.
That route was a stab in the dark, since that subnet is the only one I saw that wasn't set to an inside route path.
What is the source IP you are trying, and the destination IP you are trying to reach?
IE, are you sourcing a ping from 10.10.1.1 to 10.154.139.1?
I am trying to reach 10.154.139.1 /24 from 10.10.1.1 /16, which is not making it through the tunnel. However if I jump over to another subnet I can source a ping from 10.100.154.1 /16 to 10.154.139.1 /24 without any problems. I don't think it's a tunnel issue but for some reason the 10.10.0.0/16 subnet will not pass through the tunnel.
My supposition is that the issue is on the other side.
Do: sh crypto ipsec sa
Do you see the pkts encaps increasing with your ping attempts? If so, it's encrypting it and sending it over the tunnel but pkts decaps should probably be low or 0 if it is not coming back across the tunnel.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...