Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Trouble Pinging Across a SITE TO SITE VPN LINK ASA

                          Hello All,

                                      I am pinging a host on the across the VPN tunnel. I do a sh crypto isakmp sa on the Local ASA and I see that all my traffic is encrypted but there is not decrypted traffic come back to the local ASA. I then log in to the remote ASA and see decrypted traffic received from the local ASA but there is not encrypted traffic going back across the tunnel. Why is that?

1 REPLY
Cisco Employee

Re: Trouble Pinging Across a SITE TO SITE VPN LINK ASA

Well there are many reasons, but let me write a few of them.

1. You do not have a NAT 0 statement in the remote ASA.

2. You have a different route in the remote ASA for the "LOCAL ASA" network.

  - Or also a route beyond the remote ASA not sending the traffic back properly.

3. There is security rule in the ASA dropping the packets

  - Like a FW rule or something.

  - Or an ACL in the inside or even the outside (maybe sysopt connection permit vpn is off and you need to explicitly let the traffic in the ACL )

4. Maybe another tunnel with the same source and destination. (also look for incomplete configurations)

5. Maybe you are hitting the BUG related to the ASA stopping to encrypt (a reload should alleviate the issue)

Of course to detect if you are matching any of this possible scenarios a troubleshooting is necessary.

You can use the packet tracer command and also a capture for the type asp-drop, sourced ping, debug icmp trace, etc...

263
Views
0
Helpful
1
Replies
CreatePlease login to create content