I have a situation where an application at site 1 is trying to communicate to a device at site 2 over an IPSec tunnel. The match ACL is based on IP and therefore is suppose to pass any and all traffic. I see the traffic traverse from site 1 to site 2 successfully. The Device at site 2 is sending back a TCP reset which is NOT being passed back back to site 1. Is the firewall by default going to drop tcp resets and if so is there a way to disable this. Thank you for any help.
What VPN devices are you using? It's relatively normal for a device to respond to a TCP connection request with a RST, so any true firewall should forward it unless there's some other anomaly with the packet (such as an invalid combination of options or other things the firewall might consider a "problem"). If you're using PIX's, I'd check your logs, since the PIX is pretty good about logging stuff it doesn't like (you have to enable logging at the "warnings" level to see most of these messages).
Are your crypto access-lists at both ends mirror images of each other (i.e. the sources and destinations are identical but reversed)? If not, that can easily cause return traffic to fail.
Also, a router with simple access-lists instead of CBAC may will be dropping the reply, so check your access-lists if that's what you're using.
Finally, it could also be something as simple as a routing problem. Does the server at Site 2 have a valid route back to Site 1 pointing at the VPN termination device at Site 2? It's easy to forget about return routes, especially if the VPN devices aren't also the devices that provide Internet connectivity for the site.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :