Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Strange VPN issue, initiates with ICMP not TCP

Hello All,

I am experiencing a strange issue on a VPN LAN-to-LAN tunnel between two Cisco ASA firewall.

Whenever a remote side tries to connect to a local server over the VPN tunnel with a TCP connection (an HTTP browser connection) all incoming SYN packets get dropped and I can see them in the asp drop capture I am running. The SYN packets are dropped with a message:

"Drop-reason: (acl-drop) Flow is denied by configured rule"

The VPN tunnel gets built and Phase 2 SA is established but there are no encrypted packets going back to the remote end.

Only when the remote side initiates an ICMP ping to the local server  then is the Phase2 SA re-established and the packets get encyrpted going back to the remote side. After that a Web Browser connection works fine and can establish an HTTP session with the Web Server.

Has anyone come across such an event?

Attaching the VPN configuration as well as the logs that show the relevant captures of ASP Drops and the Phase 2 SA on the VPN tunnel.

Remote hosts are on the 10.200.10.0/24 subnet and the Web Server is 10.7.0.68 running on port 81.

Thank you.

Dmitry.

1 REPLY
New Member

Strange VPN issue, initiates with ICMP not TCP

This issue was resolved. Re-creating the access lists that matched interesting traffic on both sides of the VPN tunnel fixed the issue. The access lists were matched exactly (except the direction of traffic obviously) to avoid any discrepancies.

Just in case anyone else comes across this problem.

368
Views
0
Helpful
1
Replies