Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

VPN ACL Issue

I have a strange problem that I can't get to the bottom of.

I have an IPSEC Site to site VPn between 2 sites. The crypto ACLs at each site are matched.

Site A - permit ip 172.0.0.0 0.0.0.255 10.44.128.0 0.0.15.255

Site B - permit ip 10.44.128.0 0.0.15.255 172.0.0.0 0.0.0.255

From Site A - I can ping anything on the following networks - 10.44.130.0, 10.44.132.0, 10.44.133.0, 10.44.134.0, 10.44.135 and so forth.

I cannot ping however anything on 10.44.128.0, 10.44.129.0, 10.44.131.0 networks.

Same problem if I source from the addresses above from Site B.

Any idea why this is? My ACL above covers the addresses I cannot ping. The interfaces are up and I can ping internally etc.. but when going across the VPN, some are reachable and some are not. I have removed any inbound/outbound ACLs also just to test, still the same though.

VPN is between Cisco Router and ASA.

Very Puzzled.

3 REPLIES
Super Bronze

VPN ACL Issue

Hi,

I would suggest going through the NAT0 configurations for errors in any network masks and also checking the routing on Site A to confirm that there is also no errors in network masks that would prevent return traffic from being correctly forwarded back to the host on Site B.

- Jouni

Bronze

VPN ACL Issue

Hi There,

Gets even stranger. I added a specific new line at the top of the crypto ACl for subnets that weren't working, e.g

permit 172.0.0.0 0.255.255.255 10.44.128.0 0.0.0.255

and vice versa at the other end.

It then worked fine after this.

However, I then removed those specific lines again from the ACL and now it still all works (all subnets) using the summary route i previously had in. I didn't change anything else..

Super Bronze

VPN ACL Issue

Hi,

Would seem like some kind of bug. Hard to tell.

I have had situation with ASAs where using multiple networks through the L2L VPN and some of the networks have simply not been forwarded to L2L VPN. Active device change or reboot has corrected the situation.

I guess would really have needed debugging during the problem to determine the actual problem.

- Jouni

185
Views
0
Helpful
3
Replies
CreatePlease to create content