The tunnel work fine when on peer 1, X.X.X.X (pinging between hosts at 192.168.1.2 and 10.0.1.3 on the private networks). When it switches over to peer 2, Y.Y.Y.Y the tunnel comes back up with Y.Y.Y.Y as the end-point as verified in 'show crypto ipsec sa'. However I cannont pass any traffic across when peer 2 is up. Note that the peer on the other side is a multi-WAN device and has X.X.X.X and Y.Y.Y.Y attached and the failure is created by unplugging X.X.X.X from the device..
When I run an ASA packet-trace command using ICMP (packet-trace input inside icmp 192.168.1.2 8 0 10.0.1.3 detail) at Phase 12 it drops the packet when it starts to encrypt the packet. With crypto debugs on it matches the crypto ACL early on in the Phases (Phase 3) so I know the packet is headed to the tunnel. See failure below. It says Flow is denied by configured rule.
Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
I tried debug acl filter, but can't get the level above 1.
Any ideas on what else I need in the config or what else I can use to debug?
Works great, my ping across the tunnel doesn't even miss a beat when I pull the X.X.X.X cable.
BTW the peer firewall appliance is a WatchGuard X750e with multi-wan capabilities where X.X.X.X is a Comcast connection in port 0 and Y.Y.Y.Y is a Qwest connection is port 2 (port 1 is the trusted interface). The Cisco ASA is sitting in a datacenter providing access to some file servers and only has one Internet connection.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...