I have run into a problem with traffic returning on a site to site VPN. We can send our http request across the VPN, it gets there fine, but upon arrival, the other side is closing the connection with TCP RST and AGE OUT flags,and we are getting SYN TIMEOUT flags on the return traffic due to the connection being dropped.
I have double checked our crypto maps, IPsec policies, ipv4 filtering is as it should be, and i am at wits end! The VPN hasn't failed, it is very much alive, except we are not getting any return traffic whatsoever due to the RST . Restarting the VPN does not help. We have multiple connections on the same interface enabled.
I have been told by support on the other end of the VPN that it must be our return route, except i have not touched our static routes in months!
The pattern for connection close at the recieving end of the VPN is TCP RST, AGE OUT, AGE OUT.
Is anyone able to shed some light on this or anyone with similar issues?
Maybe I have missunderstood something but how is it problem with your return routing if you are the one forming/opening the connection and getting timeouts for the connection?
I would consider checking any NAT configurations that might prevent the traffic flow.
You might have the correct NAT0 configurations and the traffic flows to the remote site through the L2L VPN but the remote end might have NAT configurations that are preventing the return traffic from flowing.
But as I said, I am not sure if I have missunderstood something in the setup. Is every single connection through this L2L VPN failing at the moment? If not all connections are failing then are all the failing connections related to the same destination remote network? (presuming there is more than one even)
You can easily test your end with "packet-tracer" command. It will both tell if the packet would match the correct ACLs and NAT rules and the VPN rules. Furthermore it would even tell if the VPN connection was fine.
What it wont tell you however is problem related to the remote end (other than the operation of the VPN itself ofcourse)
Example "packet-tracer" command format would be
packet-tracer input inside tcp
You might need to replace the "inside" with something else depending on the actual name of your interface that sources the traffic (behind which the users of the L2L VPN are located). You can naturally also test with "udp" or "icmp" while the "icmp" requires different parameters in the command naturally (not ports).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :