Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Site to Site VPN, only part of ACL working, why?

I built up an IPsec site-site VPN, from A to B, I have about 10 different subnets in the interesting traffice ACL, now, I can get some subnets talking to each other no problem, but some cannot.  For example, from A to site B subnet 10.1.0.1 did not work, but to 10.100.0.1 worked well, and 10.1.0.1 and 10.100.0.1 are actually two VLAN interfaces on a same router. 

ICMP debug showed, when pinged from A to 10.1 and 10.100, the firewall at site B received the ping echo requests from site A, and also recevived ping echo reply from both 10.1 and 10.100, but the firewall A, only received echo reply from 10.100.  looked like firewall B didn't VPN echo reply from 10.1 to site A some how

Checked config on both sites many times, cannot spot any problems or mismatch. 10.1.0.0/24 and 10.100.0.0/24 are just two network objects in the smae ACL.

Any Cisco super-men can provide some advises, what could go wrong, what measures I could use to troubleshoot....

Thanks a lot.

P.S. everthing worked perfectly a couple days ago, then I had pack loss issue on the internet link, now the VPN tunnel is up, no config was changed, but some subnets just could not be reached through the VPN.

W.

1 ACCEPTED SOLUTION

Accepted Solutions

Site to Site VPN, only part of ACL working, why?

Hello Yue,

WOW, that is weard.

Good thing is that now everything is working now and trust me this will not happen to you again, you and I will know what to do next time.. lol

If possible please mark the question as answered so future users having the same issue will know what to do based on your experience.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
4 REPLIES

Site to Site VPN, only part of ACL working, why?

Hello,

So we are talking about ASAs as you said firewalls.

Do you have the properly No nat configuration.

Have you created and ASP capture to see if one of the ASA's is dropping the packets, what about packet tracers?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Site to Site VPN, only part of ACL working, why?

Thanks for your reply.

At site A it's a ASA5510, ver 8.4, at site B it's a Pix-525 v 8.0.

I have checked all nat, nat_0, routes, ACL config, all seemed OK. no overlapping, or mismatch.  now I even tried removed all other subnets, only left 10.1.0.0/24 in the ACL, but still couldn't make it working....:(

Community Member

Site to Site VPN, only part of ACL working, why?

it turned out it should be some bug on my Pix

I changed the VPN crypto map to priority 15, ( it was 60 ), so it skipped over several other VPN crypto maps on the Firewall B, and then all started working......my whole weekend was wasted on this bug ..*@^#^@%#&^!@(@!(*&

Site to Site VPN, only part of ACL working, why?

Hello Yue,

WOW, that is weard.

Good thing is that now everything is working now and trust me this will not happen to you again, you and I will know what to do next time.. lol

If possible please mark the question as answered so future users having the same issue will know what to do based on your experience.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
575
Views
0
Helpful
4
Replies
CreatePlease to create content