08-16-2013 02:12 AM
I have a strange problem that I can't get to the bottom of.
I have an IPSEC Site to site VPn between 2 sites. The crypto ACLs at each site are matched.
Site A - permit ip 172.0.0.0 0.0.0.255 10.44.128.0 0.0.15.255
Site B - permit ip 10.44.128.0 0.0.15.255 172.0.0.0 0.0.0.255
From Site A - I can ping anything on the following networks - 10.44.130.0, 10.44.132.0, 10.44.133.0, 10.44.134.0, 10.44.135 and so forth.
I cannot ping however anything on 10.44.128.0, 10.44.129.0, 10.44.131.0 networks.
Same problem if I source from the addresses above from Site B.
Any idea why this is? My ACL above covers the addresses I cannot ping. The interfaces are up and I can ping internally etc.. but when going across the VPN, some are reachable and some are not. I have removed any inbound/outbound ACLs also just to test, still the same though.
VPN is between Cisco Router and ASA.
Very Puzzled.
08-16-2013 02:55 AM
Hi,
I would suggest going through the NAT0 configurations for errors in any network masks and also checking the routing on Site A to confirm that there is also no errors in network masks that would prevent return traffic from being correctly forwarded back to the host on Site B.
- Jouni
08-16-2013 03:54 AM
Hi There,
Gets even stranger. I added a specific new line at the top of the crypto ACl for subnets that weren't working, e.g
permit 172.0.0.0 0.255.255.255 10.44.128.0 0.0.0.255
and vice versa at the other end.
It then worked fine after this.
However, I then removed those specific lines again from the ACL and now it still all works (all subnets) using the summary route i previously had in. I didn't change anything else..
08-16-2013 03:59 AM
Hi,
Would seem like some kind of bug. Hard to tell.
I have had situation with ASAs where using multiple networks through the L2L VPN and some of the networks have simply not been forwarded to L2L VPN. Active device change or reboot has corrected the situation.
I guess would really have needed debugging during the problem to determine the actual problem.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide