IPSec VPN tunnel works one way, can ping the other direction too
Ok so I'm going crazy here. I have a IPSec tunnel that is working in one direction.
Below is the router config from the side that can connect to the other side perfectly. I believe the issue is with this router as while I was waiting on delivery for the ASA I had an SRP527W sitting in it's place and had exactly the same problem.
On one side I have a 887VA router and the other an ASA5505.
The network behind the 887VA can access the remote site perfectly, backup services are traversing the link as are web interfaces for applications. In the other direction I can ping hosts but cannot connect. What else is interesting is if from the remote site I attempt to connect to a particular device that performs a port redirect the remote site browser gets so far as being redirected to port 5000 but then hangs.
I am seeing some very generic packet drop debug notices on the 887va on the NAT-ACL access list but I think this is as it should be as it is dropping the tunnel traffic from the NAT'ing.
The config for the router is here, I will post the ASA config when I get to the other site shortly but I am convinced the issues is on this device, all the crypto configurations match.
I have looked at the MTU's on each side, the path MTU on both sides is 1492. The asa does say the media MTU is 1500 but I believe that is the ADSL link so shouldnt matter?
I even went so far as installing CCP and testing the VPN. It says the tunnel is up. It did state a failure:
A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets.
with recommended action:
1)Contact your ISP/Administrator to resolve this issue. 2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.
I did 2 with no effect.
(Addresses etc have been changed to protect the innocent.)
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...