Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Site -Site vpn issue between ASA and Juniper fw ..

I am trying to establish site - site vpn tunnel b/w cisco ASA and Juniper FW. ASA is using in my end.

I can see tunnel as up when I am giving show crypto isakmp sa.

but the other end users are not able to access the inside allowed server through vpn tunnel

When I checked with

show crypto ipsec sa , I can't see packet encapsulation

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors

Could anybody help me on this ?


Re: Site -Site vpn issue between ASA and Juniper fw ..

check the routing on your side.


Re: Site -Site vpn issue between ASA and Juniper fw ..

There are many scenarios that could be causing it. Check your routing configuration to ensure the return traffic is hitting the ASA. Additionally, check and verify your crypto-access-list and NAT0-exempt access-list (if applicable).

Also, ensure that there are no rules on the inside interface that are blocking the return traffic.

I'd suggest performing a packet tracer as well.

packet-tracer input inside icmp x.x.x.x(inside host) 8 0 x.x.x.x (external host) detailed

If the packet-tracer shows that everything is being allowed and encrypted, you likely have a routing issue.

New Member

Re: Site -Site vpn issue between ASA and Juniper fw ..

Thanks, it's resolved ,it was routing issue from our end.

CreatePlease to create content