Our problem is that remote site cannot access our network but we can access their network.ACL+routing were check and all are correct.
I check one of our setup L2L vpn setup also, 3845 -> 2851 when I do show crypto ipsec sa, i see all the networks active define in local and remote networks but in our setup of ASA-2851 i don't see this kind of output. I see only two subnets active. After initiating ping to remote networks, then i can see the another two networks when i do show crypto ipsec sa. Is this normal? i know that there should be rekeying of sa but why do (local+remote networks) is missing when no traffic is passing from the local network.
L2L IPsec tunnels are always on demand - when no traffic is passing tunnels will not initiate.
In your particular case it's hard to say whether:
1. Tunnel initiation from router subnet to ASA is blocked.
2. Traffic inside established tunnel from router subnet to ASA is blocked.
I would frist make sure that you have correct SPIs while you're running the test (yes, show crypto ipsec sa). If the SPIs are in place and traffic is passing from ASA to router subnets and not vice versa then you're running into a problem with something stateful on the way (maybe vpn-filter on ASA?)
Now if you initiate tested from router networks and still see the issue and SPIs are not there, there might be something blocking your IKE traffic not allowing router to initiate properly.
When I do show crypto ipsec sa on ASA, i cannot see the local and remote networks on the ASA but once i ping from inside network of ASA to router side then i can see them from my show crypto ipsec sa. I already enable sysopt connection permit-vpn on the ASA, but it is same.
Below is the debug i capture when there is no traffic passing thru the two network and i get this debug:
Jun 05 14:32:54 [IKEv1 DEBUG]: Pitcher: received key delete msg, spi 0xf7ba8d0b Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, Pitcher: received key delete msg, spi 0x7a23d721 Jun 05 14:34:20 [IKEv1]: Group = 207.107.203.X, IP = 207.107.203.X, Connection terminated for peer 207.107.203.X. Reason: IPSec SA Idle Timeout Remote Proxy 10.200.18.0, Local Proxy 10.71.0.0 Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, sending delete/delete with reason message Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, constructing blank hash payload Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, constructing IPSec delete payload Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, constructing qm hash payload Jun 05 14:34:20 [IKEv1]: IP = 207.107.203.X, IKE_DECODE SENDING Message (msgid=71d4e9b6) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68 Jun 05 14:34:20 [IKEv1 DEBUG]: Group = 207.107.203.X, IP = 207.107.203.X, Active unit receives a delete event for remote peer 207.107.203.X.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...