2

I currently have site to site VPN tunnel up between Cisco ASA 5550 & Cisco ASA5506-X. I can see the vpn tunnel is up on both end but no traffic is passing through. Cisco ASA 5550 is receiving packets but no sending any. I tried to check all settings but unable to find any solution. I have reset Crypto ikev1 & ikev2 & ipsec sa Cisco ASA5506-X is also set with three other vpn tunnels to Cisco ASA 5505 and they are all working as it should. we previously had cisco Pix firewall with vpn tunnel to Cisco ASA 5550 which was recently replaced by Cisco ASA 5506-X which worked as it should for 3 days. Posting result of L2L vpn session in Core firewall:

Core-ASA5550(config)# show vpn-sessiondb l2l filter ipaddress 151.X.X.X

Session Type: LAN-to-LAN

Connection : 151.X.X.X Index : 54326 IP Addr : 151.X.X.X Protocol : IKEv2 IPsec Encryption : IKEv2: (1)AES256 IPsec: (1)3DES Hashing : IKEv2: (1)SHA1 IPsec: (1)SHA1 Bytes Tx : 0 Bytes Rx : 9124 Login Time : 11:40:05 GMT/BDT Mon Jun 22 2015 Duration : 0h:05m:10s

Currently,I am unable to ping or access any servers/PCs behind firewalls from either side.

Amir
  • 193
  • 1
  • 3
  • 13
  • Packet tracer resulted below: Phase: 9 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Result: input-interface: Core input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule – Amir Jun 22 '15 at 13:00

1 Answers1

1

As the core firewall ASA 5550 was initially setup with VPN tunnel to Cisco PIX firewall, it must have a cache route. Up on rebooting the core firewall, the issue was fixed. FYI, reseting isamkp sa and ipsec sa didn't resolved the issue.

Amir
  • 193
  • 1
  • 3
  • 13