VPN going up but traffic going one way

Discussion in 'Cisco' started by PLP, Jul 10, 2003.

  1. PLP

    PLP Guest

    I have a weird problem with a VPN between to Pix (520 and 506, same version

    The VPN is going up well: the ISAKMP and IPSec negociation goes well and
    when doing show isakmp sa and sh crypto ipsec sa I have all the good
    information and all is OK. Same thing when doing a debug on isakmp and
    ipsec. The crypto access-list are OK.

    The traffic is encrypted on PIX 1 and goes via the internet to PIX 2. PIX 2
    decrypt the traffic. The problem is for traffic from PIX 2 to PIX 1, PIX 2
    encrypt the traffic and sends it (The counters increase in Sh crypto ipsec
    sa and the outside interface counters increase too.) But PIX 1 never receive
    it , so the traffic in the tunnel is going only one way.

    The PIX 2 is behind a firewall1 firewall managed by a an other company so i
    have not direct access to it. The guy who manage it says that all traffic is

    My hypothesis is that somewhere the ipsec protocol is not permited, but how
    can I verify it ? I can ping outside interface of PIX1 from PIX 2.

    Any body have a suggestion to help to resolve this problem ? Thank you !

    PLP, Jul 10, 2003
    1. Advertisements

  2. PLP

    Alex Guest


    My guess is, that the traffic from PIX2 to PIX1 is fragmented by (most
    probably) the firewall.
    If I recall correclty, IPsec is very picky about fragmenting packets.
    Maybe you could check the MTU sizes up and down the link and match them

    Hope this helps...

    Alex, Jul 11, 2003
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.