I am experiencing a strange issue on a VPN LAN-to-LAN tunnel between two Cisco ASA firewall.
Whenever a remote side tries to connect to a local server over the VPN tunnel with a TCP connection (an HTTP browser connection) all incoming SYN packets get dropped and I can see them in the asp drop capture I am running. The SYN packets are dropped with a message:
"Drop-reason: (acl-drop) Flow is denied by configured rule"
The VPN tunnel gets built and Phase 2 SA is established but there are no encrypted packets going back to the remote end.
Only when the remote side initiates an ICMP ping to the local server then is the Phase2 SA re-established and the packets get encyrpted going back to the remote side. After that a Web Browser connection works fine and can establish an HTTP session with the Web Server.
Has anyone come across such an event?
Attaching the VPN configuration as well as the logs that show the relevant captures of ASP Drops and the Phase 2 SA on the VPN tunnel.
Remote hosts are on the 10.200.10.0/24 subnet and the Web Server is 10.7.0.68 running on port 81.
This issue was resolved. Re-creating the access lists that matched interesting traffic on both sides of the VPN tunnel fixed the issue. The access lists were matched exactly (except the direction of traffic obviously) to avoid any discrepancies.
Just in case anyone else comes across this problem.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...