I built up an IPsec site-site VPN, from A to B, I have about 10 different subnets in the interesting traffice ACL, now, I can get some subnets talking to each other no problem, but some cannot. For example, from A to site B subnet 10.1.0.1 did not work, but to 10.100.0.1 worked well, and 10.1.0.1 and 10.100.0.1 are actually two VLAN interfaces on a same router.
ICMP debug showed, when pinged from A to 10.1 and 10.100, the firewall at site B received the ping echo requests from site A, and also recevived ping echo reply from both 10.1 and 10.100, but the firewall A, only received echo reply from 10.100. looked like firewall B didn't VPN echo reply from 10.1 to site A some how
Checked config on both sites many times, cannot spot any problems or mismatch. 10.1.0.0/24 and 10.100.0.0/24 are just two network objects in the smae ACL.
Any Cisco super-men can provide some advises, what could go wrong, what measures I could use to troubleshoot....
Thanks a lot.
P.S. everthing worked perfectly a couple days ago, then I had pack loss issue on the internet link, now the VPN tunnel is up, no config was changed, but some subnets just could not be reached through the VPN.
At site A it's a ASA5510, ver 8.4, at site B it's a Pix-525 v 8.0.
I have checked all nat, nat_0, routes, ACL config, all seemed OK. no overlapping, or mismatch. now I even tried removed all other subnets, only left 10.1.0.0/24 in the ACL, but still couldn't make it working....:(
I changed the VPN crypto map to priority 15, ( it was 60 ), so it skipped over several other VPN crypto maps on the Firewall B, and then all started working......my whole weekend was wasted on this bug ..*@^#^@%#&^!@(@!(*&
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...