[c-nsp] ASA 5520 to Pix sudden loss of tunnel
Jay Nakamura
zeusdadog at gmail.com
Thu Mar 10 16:03:58 EST 2011
Now that I think about it, I had a similar issue with active/backup
ASA where when you flip the active unit, traffic will go only one
direction. Clearing the ipsec SA fixes the issue but it would never
fix it on their own. Since it doesn't happen every time, and the
vendor for the ASA side didn't seem interested in troubleshooting
further, I could never get to the bottom of it. If it happens again,
clear ipsec sa instead and see if it fixes it. Much better than
rebooting.
On Thu, Mar 10, 2011 at 3:24 PM, Scott Granados <scott at granados-llc.net> wrote:
> This is what I thought as well but rebooting the ASA pair did the trick and everything worked. I also confirmed my routing was working to the ASA pair because other devices attached could reach the network.
>
> I'm thinking wacky interactions of pre 7.2.4 Pix and ASA but not 100% certain. Since rebooting cleared it I was leaning in that direction.
>
> Thanks
> Scott
>
> On Mar 10, 2011, at 11:38 AM, Christopher J. Wargaski wrote:
>
>> Scott--
>>
>> One way traffic like this is usually caused by one of three things:
>> 1) The interesting traffic ACLs not being mirror images of each other.
>> 2) An outbound ACL is denying traffic across the IPsec tunnel
>> 3) Routing is not sending the traffic for the remote subnet to the PIX/ASA
>>
>> cjw
>>
>>
>> Date: Wed, 9 Mar 2011 21:11:51 -0800
>> From: Scott Granados <scott at granados-llc.net>
>> To: cisco-nsp <cisco-nsp at puck.nether.net>
>> Subject: [c-nsp] ASA 5520 to Pix sudden loss of tunnel
>> Message-ID: <9B70E992-15DB-44A5-8019-3C170402AE34 at granados-llc.net>
>> Content-Type: text/plain; charset=us-ascii
>>
>> Hi, I'm having an odd problem and wonder if anyone has some pointers. I looked for the Cisco IPSEC solutions document but the things suggested didn't work. (this VPN document covered both IOS and security appliances)
>>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list