Did Verizon DSL (East coast / USA) change VPN practices or filtering today?
We have 4 site-to-site IPSec VPN tunnels up all the time, and today our tunnel to a Verizon DSL endpoint (ASA-5505) will not connect! This is very frustrating. Of course Verizon does not "support" VPN tunneling on their DSL, but it has worked fine in the past. Nothing changed in any configs. Other 3 VPNs are working fine, but none of the other endpoints are Verizon.
The VPN structure is ASA to ASA so there is no complexity in hardware brands, etc. Phase 1 will not complete. Using pre-share/3des/sha/dh1, like we always have.
There is nothing to debug now since the tunnel came back up, after about 6 hours down.
At the time, a show crypto isakmp sa would return...
On one end, state MM_WAIT_MSG2
On the other, state MM_WAIT_MSG3
So to me that suggested one side would send the initial comm, it would get received by the other side which would send it back, then be waiting for step 3. The original side never gets the step 2 msg and so it doesn't complete. From what I could read on various forums, this suggested some sort of intermittent routing as a possible cause, and seeing as Verizon just fixed it themselves, it might have been a Verizon routing problem. Tho they won't confirm it was, and their routing tests showed there was no problem.
Yes you are right, our side sent the traffic, it was recieved at verizon end, they also responded but that never came back to us. It can be due to routing or might be some other blockage on transitioning path.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...