ASA 5525 on 9.6(3)1
This is driving me crazy - I have a site to site VPN set up and connected with one of our remote offices while we wait for MPLS to be installed.
Office A (me): 10.1.0.0/19
Office B: 10.1.32.0/20
The VPN is connected and I can reach certain subnets, but not others. Packet tracers are virtually identical (the only difference is the destination IP) right up until the VPN step:
Unreachable (10.1.43.XXX)
Phase: 9 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: out id=0x2aaac81b4690, priority=70, domain=encrypt, deny=false hits=9093, user_data=0x0, cs_id=0x2aaac8d74c80, reverse, flags=0x0, protocol=0 src ip/id=10.1.0.0, mask=255.255.224.0, port=0, tag=any dst ip/id=10.1.32.0, mask=255.255.240.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=outside
Reachable (10.1.32.XXX)
Phase: 9 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0x2aaacb54b540, priority=70, domain=encrypt, deny=false hits=12460, user_data=0x24cb87c, cs_id=0x2aaac8d74c80, reverse, flags=0x0, protocol=0 src ip/id=10.1.0.0, mask=255.255.224.0, port=0, tag=any dst ip/id=10.1.32.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=outside
We have changed nothing, and here's where things get stranger. We experienced this exact same behavior yesterday, but the reachable/unreachable subnets were swapped. Then it mysteriously started working. Now it's back to this. Has anyone experienced this before?
No comments:
Post a Comment