Solved: site to site VPN between 2 ASA's over VDSL problem

mickyq · ‎11-15-2017

I have setup a site to site vpn using an ASA behind a VDSL router at the remote end. The head end is a ASA.

Ive got many remote sites connected this way with ADSL routers.

Using the same config on the VDSL site i can get the tunnel up so phase 1 is fine but i dont get traffic flowing between asa's.

I can see encrypts but no de-crypts on both ends.

My question is has anyone else had this problem and did you find the solution.

thanks

GioGonza · ‎11-15-2017

Hello @mickyq,

You have problems with the ESP packets (encrypted traffic) probably on your new VSDL, that´s why you see encaps and no decaps on both ends. The ASAs build the VPN tunnel and when they are trying to send the traffic those packets are being blocked.

You can verify that with an ESP capture on both ASAs between the outside IP addresses:

capture capin interface outside match [esp/any] any host 2.2.2.2

Normally, on the VSDL you need to enable a feature called "VPN Pass-through" and this should allow the ESP traffic into the ASA and make the VPN tunnel work. Here is an example of a VSDL Router: http://www.draytek.co.uk/information/our-technology/sslvpn

HTH

Gio

View solution in original post

GioGonza · ‎11-15-2017

Hello @mickyq,

You have problems with the ESP packets (encrypted traffic) probably on your new VSDL, that´s why you see encaps and no decaps on both ends. The ASAs build the VPN tunnel and when they are trying to send the traffic those packets are being blocked.

You can verify that with an ESP capture on both ASAs between the outside IP addresses:

capture capin interface outside match [esp/any] any host 2.2.2.2

Normally, on the VSDL you need to enable a feature called "VPN Pass-through" and this should allow the ESP traffic into the ASA and make the VPN tunnel work. Here is an example of a VSDL Router: http://www.draytek.co.uk/information/our-technology/sslvpn

HTH

Gio