Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
411
Views
0
Helpful
3
Replies

VPN ACL Issue

GRANT3779
Spotlight
Spotlight

‎08-16-2013 02:12 AM

I have a strange problem that I can't get to the bottom of.

I have an IPSEC Site to site VPn between 2 sites. The crypto ACLs at each site are matched.

Site A - permit ip 172.0.0.0 0.0.0.255 10.44.128.0 0.0.15.255

Site B - permit ip 10.44.128.0 0.0.15.255 172.0.0.0 0.0.0.255

From Site A - I can ping anything on the following networks - 10.44.130.0, 10.44.132.0, 10.44.133.0, 10.44.134.0, 10.44.135 and so forth.

I cannot ping however anything on 10.44.128.0, 10.44.129.0, 10.44.131.0 networks.

Same problem if I source from the addresses above from Site B.

Any idea why this is? My ACL above covers the addresses I cannot ping. The interfaces are up and I can ping internally etc.. but when going across the VPN, some are reachable and some are not. I have removed any inbound/outbound ACLs also just to test, still the same though.

VPN is between Cisco Router and ASA.

Very Puzzled.

Labels:
0 Helpful
3 Replies 3

Jouni Forss
VIP Alumni
VIP Alumni

‎08-16-2013 02:55 AM

Hi,

I would suggest going through the NAT0 configurations for errors in any network masks and also checking the routing on Site A to confirm that there is also no errors in network masks that would prevent return traffic from being correctly forwarded back to the host on Site B.

- Jouni

0 Helpful

GRANT3779
Spotlight
Spotlight
In response to Jouni Forss

‎08-16-2013 03:54 AM

Hi There,

Gets even stranger. I added a specific new line at the top of the crypto ACl for subnets that weren't working, e.g

permit 172.0.0.0 0.255.255.255 10.44.128.0 0.0.0.255

and vice versa at the other end.

It then worked fine after this.

However, I then removed those specific lines again from the ACL and now it still all works (all subnets) using the summary route i previously had in. I didn't change anything else..

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to GRANT3779

‎08-16-2013 03:59 AM

Hi,

Would seem like some kind of bug. Hard to tell.

I have had situation with ASAs where using multiple networks through the L2L VPN and some of the networks have simply not been forwarded to L2L VPN. Active device change or reboot has corrected the situation.

I guess would really have needed debugging during the problem to determine the actual problem.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents