03-17-2012 09:40 PM
I built up an IPsec site-site VPN, from A to B, I have about 10 different subnets in the interesting traffice ACL, now, I can get some subnets talking to each other no problem, but some cannot. For example, from A to site B subnet 10.1.0.1 did not work, but to 10.100.0.1 worked well, and 10.1.0.1 and 10.100.0.1 are actually two VLAN interfaces on a same router.
ICMP debug showed, when pinged from A to 10.1 and 10.100, the firewall at site B received the ping echo requests from site A, and also recevived ping echo reply from both 10.1 and 10.100, but the firewall A, only received echo reply from 10.100. looked like firewall B didn't VPN echo reply from 10.1 to site A some how
Checked config on both sites many times, cannot spot any problems or mismatch. 10.1.0.0/24 and 10.100.0.0/24 are just two network objects in the smae ACL.
Any Cisco super-men can provide some advises, what could go wrong, what measures I could use to troubleshoot....
Thanks a lot.
P.S. everthing worked perfectly a couple days ago, then I had pack loss issue on the internet link, now the VPN tunnel is up, no config was changed, but some subnets just could not be reached through the VPN.
W.
Solved! Go to Solution.
03-18-2012 03:41 PM
Hello Yue,
WOW, that is weard.
Good thing is that now everything is working now and trust me this will not happen to you again, you and I will know what to do next time.. lol
If possible please mark the question as answered so future users having the same issue will know what to do based on your experience.
Regards,
Julio
03-18-2012 12:22 AM
Hello,
So we are talking about ASAs as you said firewalls.
Do you have the properly No nat configuration.
Have you created and ASP capture to see if one of the ASA's is dropping the packets, what about packet tracers?
Regards,
Julio
03-18-2012 01:51 AM
Thanks for your reply.
At site A it's a ASA5510, ver 8.4, at site B it's a Pix-525 v 8.0.
I have checked all nat, nat_0, routes, ACL config, all seemed OK. no overlapping, or mismatch. now I even tried removed all other subnets, only left 10.1.0.0/24 in the ACL, but still couldn't make it working....:(
03-18-2012 04:12 AM
it turned out it should be some bug on my Pix
I changed the VPN crypto map to priority 15, ( it was 60 ), so it skipped over several other VPN crypto maps on the Firewall B, and then all started working......my whole weekend was wasted on this bug ..*@^#^@%#&^!@(@!(*&
03-18-2012 03:41 PM
Hello Yue,
WOW, that is weard.
Good thing is that now everything is working now and trust me this will not happen to you again, you and I will know what to do next time.. lol
If possible please mark the question as answered so future users having the same issue will know what to do based on your experience.
Regards,
Julio
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: