Site - Site IPSec VPN tunnel

ricenhour · ‎02-01-2006

I have a situation where an application at site 1 is trying to communicate to a device at site 2 over an IPSec tunnel. The match ACL is based on IP and therefore is suppose to pass any and all traffic. I see the traffic traverse from site 1 to site 2 successfully. The Device at site 2 is sending back a TCP reset which is NOT being passed back back to site 1. Is the firewall by default going to drop tcp resets and if so is there a way to disable this. Thank you for any help.

Rod

ddawson · ‎02-03-2006

What VPN devices are you using? It's relatively normal for a device to respond to a TCP connection request with a RST, so any true firewall should forward it unless there's some other anomaly with the packet (such as an invalid combination of options or other things the firewall might consider a "problem"). If you're using PIX's, I'd check your logs, since the PIX is pretty good about logging stuff it doesn't like (you have to enable logging at the "warnings" level to see most of these messages).

Are your crypto access-lists at both ends mirror images of each other (i.e. the sources and destinations are identical but reversed)? If not, that can easily cause return traffic to fail.

Also, a router with simple access-lists instead of CBAC may will be dropping the reply, so check your access-lists if that's what you're using.

Finally, it could also be something as simple as a routing problem. Does the server at Site 2 have a valid route back to Site 1 pointing at the VPN termination device at Site 2? It's easy to forget about return routes, especially if the VPN devices aren't also the devices that provide Internet connectivity for the site.

HTH - Good luck!

Dana

jackko · ‎02-03-2006

just wondering if the issue is with all traffic between the site and this server, or the issue is only with the tcp reset. it's odd to learn that only tcp reset is dropped.