Cisco ASA site to site packets only go one way

Hello,

I have an issue with one site connecting to head office. There are three other sites already having site to site VPNs with head office and they work reliably. There is not much to get wrong in the wizard, it is simple enough but with this site the VPN gets set up but the remote site is receiving no packets from the head office. Looking at the head office ASA I see it is receiving packets but sending nothing.
However, sometimes by rebooting one or the other firewalls (or even both) the VPN will work correctly for anything from a few hours to a few weeks before reverting back to the situation above.

All the branch offices are running OS version 9.6(1)

Does anyone have any ideas please?

Thank you.

Alasdair Barclay
AlasdairbAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
So it works periodically, double check the VPN config on both sides to make sure there is no mismatch key lifetime, amount of satadata transferred.

Events on either that might explain the issue.
Does either side have more than one wan/ISP connections?
Show crypto isakmp
show crypto IPSec sa

Another connection using a similar ip segment on their LAN.


Site1 to site2
Site1 to site3
Depending on which sets up first, site2 and site3 have overlapping, same segments


Site2 or site3 to site1 works, but site1 to the other may be impacted by which VPN sets up first.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ArchiTech89IT Security EngineerCommented:
I would also look at the ACL that's generating "interesting traffic" for the VPN. It might be that the ACL on the far side is set up so that the traffic properly traverses, but the head office has a typo or some other reason why interesting traffic isn't being generated.

You can always check the status of the VPN in ASDM by going to Monitoring | VPN | Sessions where you can Filter By: IPsec Site-to-Site to see the status and information about each of the VPNs.

Would you care to post the aspects of the run config for this VPN (with appropriate info obscured, obviously)?


Cheers!
0
AlasdairbAuthor Commented:
Thanks to both.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.