Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
742
Views
0
Helpful
4
Replies

Site to Site VPN, only part of ACL working, why?

Go to solution
rhienwei2010
Level 1
Level 1

‎03-17-2012 09:40 PM

I built up an IPsec site-site VPN, from A to B, I have about 10 different subnets in the interesting traffice ACL, now, I can get some subnets talking to each other no problem, but some cannot.  For example, from A to site B subnet 10.1.0.1 did not work, but to 10.100.0.1 worked well, and 10.1.0.1 and 10.100.0.1 are actually two VLAN interfaces on a same router. 

ICMP debug showed, when pinged from A to 10.1 and 10.100, the firewall at site B received the ping echo requests from site A, and also recevived ping echo reply from both 10.1 and 10.100, but the firewall A, only received echo reply from 10.100.  looked like firewall B didn't VPN echo reply from 10.1 to site A some how

Checked config on both sites many times, cannot spot any problems or mismatch. 10.1.0.0/24 and 10.100.0.0/24 are just two network objects in the smae ACL.

Any Cisco super-men can provide some advises, what could go wrong, what measures I could use to troubleshoot....

Thanks a lot.

P.S. everthing worked perfectly a couple days ago, then I had pack loss issue on the internet link, now the VPN tunnel is up, no config was changed, but some subnets just could not be reached through the VPN.

W.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to rhienwei2010

‎03-18-2012 03:41 PM

Hello Yue,

WOW, that is weard.

Good thing is that now everything is working now and trust me this will not happen to you again, you and I will know what to do next time.. lol

If possible please mark the question as answered so future users having the same issue will know what to do based on your experience.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎03-18-2012 12:22 AM

Hello,

So we are talking about ASAs as you said firewalls.

Do you have the properly No nat configuration.

Have you created and ASP capture to see if one of the ASA's is dropping the packets, what about packet tracers?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
rhienwei2010
Level 1
Level 1
In response to Julio Carvajal

‎03-18-2012 01:51 AM

Thanks for your reply.

At site A it's a ASA5510, ver 8.4, at site B it's a Pix-525 v 8.0.

I have checked all nat, nat_0, routes, ACL config, all seemed OK. no overlapping, or mismatch.  now I even tried removed all other subnets, only left 10.1.0.0/24 in the ACL, but still couldn't make it working....:(

0 Helpful

Go to solution
rhienwei2010
Level 1
Level 1
In response to rhienwei2010

‎03-18-2012 04:12 AM

it turned out it should be some bug on my Pix

I changed the VPN crypto map to priority 15, ( it was 60 ), so it skipped over several other VPN crypto maps on the Firewall B, and then all started working......my whole weekend was wasted on this bug ..*@^#^@%#&^!@(@!(*&

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to rhienwei2010

‎03-18-2012 03:41 PM

Hello Yue,

WOW, that is weard.

Good thing is that now everything is working now and trust me this will not happen to you again, you and I will know what to do next time.. lol

If possible please mark the question as answered so future users having the same issue will know what to do based on your experience.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents