VPN going up but traffic going one way

Discussion in 'Cisco' started by PLP, Jul 10, 2003.

  1. PLP

    PLP Guest

    I have a weird problem with a VPN between to Pix (520 and 506, same version
    6.2.2)

    The VPN is going up well: the ISAKMP and IPSec negociation goes well and
    when doing show isakmp sa and sh crypto ipsec sa I have all the good
    information and all is OK. Same thing when doing a debug on isakmp and
    ipsec. The crypto access-list are OK.

    The traffic is encrypted on PIX 1 and goes via the internet to PIX 2. PIX 2
    decrypt the traffic. The problem is for traffic from PIX 2 to PIX 1, PIX 2
    encrypt the traffic and sends it (The counters increase in Sh crypto ipsec
    sa and the outside interface counters increase too.) But PIX 1 never receive
    it , so the traffic in the tunnel is going only one way.

    The PIX 2 is behind a firewall1 firewall managed by a an other company so i
    have not direct access to it. The guy who manage it says that all traffic is
    allowed.

    My hypothesis is that somewhere the ipsec protocol is not permited, but how
    can I verify it ? I can ping outside interface of PIX1 from PIX 2.

    Any body have a suggestion to help to resolve this problem ? Thank you !

    PLP
     
    PLP, Jul 10, 2003
    #1
    1. Advertising

  2. PLP

    Alex Guest

    "PLP" <> wrote in message
    news:wl3Pa.102032$...
    > I have a weird problem with a VPN between to Pix (520 and 506, same

    version
    > 6.2.2)
    >
    > The VPN is going up well: the ISAKMP and IPSec negociation goes well and
    > when doing show isakmp sa and sh crypto ipsec sa I have all the good
    > information and all is OK. Same thing when doing a debug on isakmp and
    > ipsec. The crypto access-list are OK.
    >
    > The traffic is encrypted on PIX 1 and goes via the internet to PIX 2. PIX

    2
    > decrypt the traffic. The problem is for traffic from PIX 2 to PIX 1, PIX 2
    > encrypt the traffic and sends it (The counters increase in Sh crypto ipsec
    > sa and the outside interface counters increase too.) But PIX 1 never

    receive
    > it , so the traffic in the tunnel is going only one way.
    >
    > The PIX 2 is behind a firewall1 firewall managed by a an other company so

    i
    > have not direct access to it. The guy who manage it says that all traffic

    is
    > allowed.
    >
    > My hypothesis is that somewhere the ipsec protocol is not permited, but

    how
    > can I verify it ? I can ping outside interface of PIX1 from PIX 2.
    >
    > Any body have a suggestion to help to resolve this problem ? Thank you !
    >
    > PLP
    >
    >


    Hi,

    My guess is, that the traffic from PIX2 to PIX1 is fragmented by (most
    probably) the firewall.
    If I recall correclty, IPsec is very picky about fragmenting packets.
    Maybe you could check the MTU sizes up and down the link and match them
    accordingly.

    Hope this helps...

    Alex
     
    Alex, Jul 11, 2003
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Paul
    Replies:
    1
    Views:
    3,634
    Walter Roberson
    Dec 6, 2004
  2. Gordon Philip

    One way traffic over a VPN

    Gordon Philip, Feb 25, 2005, in forum: Cisco
    Replies:
    1
    Views:
    3,607
    Walter Roberson
    Feb 25, 2005
  3. Walters
    Replies:
    0
    Views:
    716
    Walters
    May 29, 2006
  4. Evolution
    Replies:
    1
    Views:
    870
    Walter Roberson
    Feb 27, 2007
  5. Sogorman

    PIX 501 one way VPN traffic

    Sogorman, May 22, 2010, in forum: Cisco
    Replies:
    0
    Views:
    1,179
    Sogorman
    May 22, 2010
Loading...

Share This Page