IOS to ASA IpSec VPN

Hey I just created a VPN form a remote site to our datacenter. Anyways when I try to ping a certain subnet I get this error in ASA at the datacenter.

This is a ping innitiated from the remote site, destined for the data center. But this message is from the ASA in the data center.

6 Mar 26 2008 18:43:53 302020 192.168.111.1 10.39.158.1 Built outbound ICMP connection for faddr 192.168.111.1/13 gaddr 10.39.158.1/0 laddr 10.39.158.1/0

4 Mar 26 2008 18:43:53 313004 Denied ICMP type=0, from laddr 10.39.158.1 on interface inside to 192.168.111.1: no matching session

First it builds the outbound ICMP connection as it is destined for 10.39.158.1 which is inside the datacenter. Then the ASA Denies the echo reply as it comes back to the firewall, destined for the remotesite across the IPsec tunnel. I can ping just about everyother subnet at the data center, just not 10.39.158.1. I do have routes to this subnet. My ASA is blocking the reply, WHY????? How could build the session and then say no matching session?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

dtlokee

Could be related to the fact the traffic is trying to go from an interface to the same interface which has the same security level. You may need the "same-security-traffic permit intra-interface" command

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml

Ahriakin

Are you sure the interesting traffic is correctly identified on the other side? IPSEC SAs are unidirectional so it is possible to have a working outgoing tunnel and a non-functional return tunnel. The fact that the IKE tunnel is working fine, other subnets at the other end are fine and outgoing to that subnet works really does point to subnet/interesting traffic configuration. Check your ACLs....

liven

Ahriakin wrote:

Are you sure the interesting traffic is correctly identified on the other side? IPSEC SAs are unidirectional so it is possible to have a working outgoing tunnel and a non-functional return tunnel. The fact that the IKE tunnel is working fine, other subnets at the other end are fine and outgoing to that subnet works really does point to subnet/interesting traffic configuration. Check your ACLs....

Agreed this very thing bit me in the @ss last time I set this up. Unfortunately I had to deal with a third party who was controlling one end of the VPN. Made it very difficult to setup.

Ahriakin

Also it can be incomplete NAT-0 on the other side, again it's an ACL thing just a different rule to check.

Netstudent

It wasn;t the ACL or the NAt statement to not xlate. But I took down the VPN to the ASA and rerouted it back to a checkpoint NGX box.

Came into work this morning, double checked crypto ipsec security-association lifetime and isakmp keepalives, started a ping and it went through no problems. I did not get any syslog messages on the ASA at the datacenter blocking my pings.

Kind of a wierd thing, but I think it all stems from having 2 crypto map sequences that are almost identicle. The only difference is the peer.