ASA VPN not passing traffic

Posted on 2009-02-19
Last Modified: 2012-05-06
I have a site-to-site VPN set up between two ASA 5505s.  VPN tunnel comes up fine, no errors in debug.  

When performing a ping to known good device through the tunnel, I get no reply.  Tunnel session statistics on the source ASA shows Tx traffic going outbound but NO Rx coming back.  Tunnel session statistics on the destination ASA show traffic going both ways (echo inbound and the echo-reply going back out).  Seems like the echo is getting there and most likely back but traffic somehow being stopped on the receiving end.

Both of these ASA units have other tunnels to other units up and running fine.

Tunnels are allowed to bypass incoming access list.  Routes are verified.   ACL on inside interface verified.  NAT exxempt looks ok (like the other tunnels I have).  IKE and IPsec are AES256 DH5 PFS enabled preshared keys.  Very simple setups!

Unfortunately these units are on a private WAN so I can not post the configs without retyping manually.  

Any suggestions?


Question by:Avi8r
    LVL 3

    Expert Comment

    anything in the show logs?

    Author Comment

    sh crypto ipsec stats on the local unit shows the outbound data incrementing but no inbound.  The distant end ASA shows traffic both ways.

    Tunnel comes up and down very nicely, showing no errors.

    With the sh int outside command for the local ASA, it shows dropped packets incrementing with the ping.  I believe the command to allow the tunnel traffic to bypass the outside ACL is global (applies to all)??  If this is the case, that's not the problem as the other tunnel on this unit works fine.  Make sense?

    Is there another ACL somewhere that could prohibit data passage on the outside interface?

    I will hand type parts of the config on this chain if necessary.

    LVL 7

    Expert Comment

    What do you get if you do a packet tracer?

    For example:
    asa(config)# packet-tracer input inside icmp source_host 0 0 8 destination_host detail

    Of course the source host and destination should be part of the interesting traffic.
    You should see in which step the ASA is dropping the packet while travels the core of the firewall.

    Verify that your firewall is not checking the packets as stateful firewall:
    You should have the command (by default is active)

    sysopt connection permit-vpn
    or sysopt connection permit-ipsec

    Author Comment

    Packet tracer in ASDM (on both units) show no errors.  I though that to be very strange.  

    If the sysopt connection permit-vpn command is global (applies to all), then that's not it.  I have another site-to-site VPN on both units and those run fine.  Does it apply to all or is it connection profile specific?

    Accepted Solution

    The problem turned out to be an external firewall blocking esp to the local ASA.
    This is very strange (to me at least) that the tunnel would come up when specified traffic would attempt to pass, but no traffic would pass from the remote ASA to the local ASA through the tunnel.
    Another words, both units accomplished phase 2 and there were no errors in debug indicating something was wrong, but it would not pass traffic from the remote end to the local end (where esp was blocked).
    Thanks to all that tried to help.
    LVL 18

    Expert Comment

    I have a similar problem. VPN is up and working, pings are ok, but sometimes pings disappear while vpn is up. After I issue clear crypto isakmp sa command, everything works fine again. What can be a possible issue with it?

    Thank you in advance

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
    Let’s list some of the technologies that enable smooth teleworking. 
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now