Pix-Pix VPN comes up, but one not returning data
Posted on 2006-04-28
Have a VPN defined between a 520 (rev 6.3) and a 501 (rev 6.2). The tunnel comes up, sa's are active, and using packet capture I can verify that traffic from the remote site (501) gets across the tunnel and to a test server I am pinging and I see where the server then replies, but the traffic dies there - the 520 does not encaps it and send it back. Same behavior applies for all traffic types besides ICMP. Cut from 'show crypto ipsec sa" reflects this as well.
#pkts encaps: 49, #pkts encrypt: 49, #pkts digest 49
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
520 side: (counters hinky from rebooting remote)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 58, #pkts decrypt: 58, #pkts verify 58
I know my access-list for matching traffic is good on the 520 side, as when I ping from the server (located at the 520 side) to the remote, the hit counter for that acl increments. Somewhere between access-list matching and encapsualting into the tunnel I'm losing it. Gotta be something simple, anyone seen this before?