ASA 5540 x Jupiter VPN works only one way

pivetta066203 · ‎03-07-2014

I have a vpn tunnel between Cisco ASA Firewall and Juniper Firewall. The phase one and phase 2 is ok and the traffic go from ASA to Juniper is ok but the another site from Juniper to ASA doesn´t works.

Could you help me ?

My local network is 10.0.0.0/8 and remote network is 10.162.8.0/21.

Marvin Rhoads · ‎03-09-2014

Most likely the remote site does not either route properly to the Juniper for destinations or your network or, if they do, they fail to exempt the traffic from NAT. Since your network addresses are a superset of theirs, it poses some additional considerations and potential problems.

You'd need to work with the Juniper firewall admin to look into those and other causes.

pivetta066203 · ‎09-17-2014

Thank you.

Raja Periyasamy · ‎09-17-2014

When you say that the traffic from the Juniper side is not working, is it a host behind the Juniper that tries to pass across the tunnel?

when the traffic is initiated from behind the Juniper do you see the decrypt counts increasing on the ASA.

# show crypto ipse sa peer <Juniper side's public IP>

Start traffic from the Juniper side and run the above commands a couple of times to see if the encrypts and decrypts are increasing.

If the decrypts dont increase it would mostly be an issue with the routing or encryption on Juniper side.

As Marvin has pointed, check if the source nat off is present on the Juniper side if this is an SRX box.