Re: ASA site-to-site VPN problem

Ryan West wrote:
> Assuming there is nothing wrong with that ACL, it's normal behavior for packet tracer to fail the first packet through as it's still bringing up phase 1 and 2 of the tunnel. If you run the packet tracer twice, you should see the crypto hits and encapsulation information. I don't think it's a "bad practice" to use packet tracer either. If you control all the devices in question and can get meaningful data from the hosts on either side, then packet tracer is less useful. However, this is typically not the case with most businesses where security roles and systems engineering are compartmentalized. Working on firewalls with hundreds of partners, the path of least resistance in most cases is to initiate a few packet tracers to bring up the tunnel and pre-validate your work.
>
> Have you verified it's not a path MTU issue?
>
> -ryan
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Bogdan Sass
> Sent: Monday, June 01, 2009 4:02 AM
> To: Farrukh Haroon
> Cc: Cisco certification
> Subject: Re: ASA site-to-site VPN problem
>
> Farrukh Haroon wrote:
>
>> Why are you using this strange mask in the ACL?
>>
>> 10.1.1.15 255.255.252.255
>>
>>
>>
> Hmmm... good question :) . I didn't notice that (the config was not
> written by me - I was just called to troubleshoot it). However, I have
> come upon this problem on several devices, so it shouldn't be related to
> the mask.
>
> Nevertheless, I will ask about the mask, and I will let you know
> what I find out. Thank you!!
>
>
    The subnet mask was there by mistake. Also, I have found the source
of my troubles - some missing routes on the other end (on a device
beyond my control :) ).

    Thank you for all your help, guys - I have learned some very useful
things today!

-- 
Bogdan Sass
CCAI,CCSP,JNCIA-ER,CCIE #22221 (RS)
Information Systems Security Professional
"Curiosity was framed - ignorance killed the cat"
Blogs and organic groups at http://www.ccie.net