Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Connectivity issue over VPN tunnel.

Hi,

I have site to site tunnel between Cisco 3000 VPN concentrator and PIX506. I will be moving it to new ASA5510, so the tunnel will be established between ASA and PIX. After inistial testing, I found that one box on remote network (time clock lol) is dropping connectivity while tunneling between Pix and ASA (works fine with concentrator). Is all of the traffic allowed thru the VPN tunnel built on ASA? I understand that it should be as long as the tunnel is up and running, correct? (note: the remote clock is using TCP ports 8888 and 8889 to communicate with server)

thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Connectivity issue over VPN tunnel.

If there's no filter, again all traffic should be permitted.

You don't need to chose L2TP as the connection is pure IPsec.

If you want, you can post your configurations to check them out (you can remove the sensitive information)

Federico.

7 REPLIES

Re: Connectivity issue over VPN tunnel.

Hi,

Normally all IP traffic is permitted through the tunnel (unless there are some filters), all TCP/UDP traffic is permitted through.

The tunnel never goes down when this happens?

Only that specific connection goes down?

Federico.

Community Member

Re: Connectivity issue over VPN tunnel.

Yes, this is the only issue I had encountered while testing. The server connects to the clock over the tunnel to collect transactions. It works thru old tunnel, fails with new one... even thought I am able to ping/traceroute it thru new tunnel (tunnel stays up and running).

Re: Connectivity issue over VPN tunnel.

Ok, so through the new tunnel it works but it disconnects? Or it never works?

How often does it disconnects?

Federico.

Community Member

Re: Connectivity issue over VPN tunnel.

Sorry for the confusion.It never worked through new tunnel (I mean server cannot communicate with the clock (over TCP port 8888 and 8889) , even though tunnel is up and running and all other nodes communicate ok i.e. mail, telnet, web). Everything works through old tunnel (3000 concentrator and PIX), so I wanted to make sure that ports 8888 8889 are not being blocked when traffic goes thru VPN tunnel between ASA and PIX.  

Re: Connectivity issue over VPN tunnel.

If you just setup the tunnel normally, this traffic won't be blocked.

The ASA has a filter that could be applied to the group-policy for a tunnel.

Check the group-policy that is being used to make sure there are no vpn-filters applied.

Can you reach that same server through any other traffic (for example PING) through this new tunnel?

Federico.

Community Member

Re: Connectivity issue over VPN tunnel.

There's no filter applied. I checked it via ASDM. I'm not using DfltGrpPolicy though. I had created new policy for this tunnel... should I configure it to use L2TP/IPSEC only? or both IPSec and L2TP/IPSec? What will happen if "inherit" option is checked for Tunneling Protocols (ASDM 6.2)?

I can also ping/traceroute all remote devices thru new tunnel.

Re: Connectivity issue over VPN tunnel.

If there's no filter, again all traffic should be permitted.

You don't need to chose L2TP as the connection is pure IPsec.

If you want, you can post your configurations to check them out (you can remove the sensitive information)

Federico.

284
Views
0
Helpful
7
Replies
CreatePlease to create content