ASA 5510 Site to Site VPN works in one direction

Question

I have setup a site to site VPN connection between two Cisco ASA 5510. One site (let's call it A) can see the private network of the other site (site B), but site B cannot see the private network of the site A.

The access lists and routes of both ASAs are the same.

On ASA A, by issuing the command: show run crypto map, I get the following result:

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer IP_of_Outside_Interface_of_B 
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set ikev2 pre-shared-key ********
crypto map outside_map 1 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

and by issuing the same command on ASA B, I get:

crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer IP_of_Outside_Interface_of_A 
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 1 set ikev2 pre-shared-key ********
crypto map Outside_map 1 set reverse-route
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside

Also by issuing the show crypto isakmp on ASA A, I get:

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:7, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote                Status        Role
74335965       public_IP_of_ASA_A/500     public_IP_of_ASA_B/500      READY    RESPONDER
  Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK 
  Life/Active Time: 86400/9974 sec
Child sa: local selector  172.16.0.0/0 - 172.16.255.255/65535
      remote selector 10.0.20.0/0 - 10.0.20.255/65535
      ESP spi in/out: 0xab18ad65/0x4ff34128

and on ASA B:

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:7, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote                 Status         Role
 83370867     public_IP_of_ASA_B/500       public_IP_of_ASA_A/500      READY    INITIATOR
  Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK 
  Life/Active Time: 86400/9499 sec
Child sa: local selector  10.0.20.0/0 - 10.0.20.255/65535
      remote selector 172.16.0.0/0 - 172.16.255.255/65535
      ESP spi in/out: 0x4ff34128/0xab18ad65

According to the info above, I can access from private network (172.16.0.0/24) of ASA A (role Responder) to private network (10.0.20.0/24) of ASA B (role initiator), but not vice versa.

sysopt connection permit-vpn is also enabled on both ASAs.

Any ideas how this can happen?

have you checked the access-list bound to the inside interface on ASA B ? — user1008764, Jul 19 '13 at 15:37
What do you mean by "see" - are you able to initiate traffic and receive a response from one side, but not when initiated from the other side? Can you be specific about what exact traffic are you sending and receiving, and what traffic are you losing? — Shane Madden, Jul 19 '13 at 23:10
@shane madden, yes, from the word "see" i meant basic connection, namle ping, i cannot even ping private hosts on site B, while i can ping anything on private network of site A. — Feri, Jul 21 '13 at 10:28
I assume to have a bidirectional s2s vpn, having one initiator and one responder is enough! Right? Or do i have to define two connections on each ASA, which are one initiator and one responder on each ASA? Thanks for your comments and hepls :-) — Feri, Jul 21 '13 at 10:31
you said the acls are "equal on both sides". do you mean that they are reversed, or equal? do you have rules allowing siteA -> siteB, and siteB -> siteA, in the same acl? — sjw, Jul 24 '13 at 19:51

score 1 · Answer 1 · answered Aug 01 '13 at 08:48

sometimes simple reasons block your eyes like in this case, in which I was looking for crypto map, crypto isakmp, access lists etc. and the reason was that the ESXi server, that I was trying to access it from the other site, did not have a proper gateway!!! Actually all the hosts on that ESXi server had a proper gateway, but the hypervisor itself did not... I fixed it and it worked like a charm...

thanks for all your comments and thoughts.

ASA 5510 Site to Site VPN works in one direction

1 Answers1