Hot Downloads



The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1

TOPIC: Site-to-Site VPN problems

Site-to-Site VPN problems 11 years 4 months ago #29110


I am currently trying to troubleshoot a site-to-site vpn problem between a Cisco 5520 & cisco pix515.

When a user makes a connection destined to the remote VPN network the VPN tunnel successfully completes both phases and the tunnel comes active but the user connection times out. Here is an output of the VPN logs.

%ASA-6-302013: Built outbound TCP connection 4860 for outside: x.x.x.x /443 (x.x.x.x /443) to inside:x.x.x.x/53251 (1 x.x.x.x /53251)

%ASA-6-302014: Teardown TCP connection 4860 for outside: x.x.x.x /443 to inside: x.x.x.x /53251 duration 0:00:30 bytes 0 SYN Timeout

Running command 'sh ipsec stats' I can see the outbound traffic being encrypted but its not showing any inbound traffic. To me this indicates a problem at the other end of the tunnel? i've not disabled 'sysopt connection permit-ipsec' command so all inbound IPSEC traffic should be allowed.

The remote VPN network is managed by a third party company so I have no control or access.

Has anyone experienced this problem before?

Re: Site-to-Site VPN problems 11 years 3 months ago #29326

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Moderator
  • Posts: 1390
  • Karma: 1
  • Thank you received: 0
Hi Jimbo,

S0lo posted a few good links to help troubleshoot/configure

I started a thread asking for a guide to this and found something interesting with the ASA's which you may want to read

I dont think the errors you have posted are linked with this problem since they are referencing port 443, have you turned up debugging of the ISAKMP and IPSEC ?

Wayne Murphy Team Member

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit or PM me for details.

Re: Site-to-Site VPN problems 11 years 2 months ago #29685

Hi Smurf,

Thanks for your reply. The traffic I referenced on port 443 is meant to be intresting traffic and sent over the VPN tunnel. I've done some research and think the problem will be fixed when I apply NAT-T on both VPN security appliances. I will post once tested.

Re: Site-to-Site VPN problems 11 years 2 months ago #29878

This problem was resolved by enabling NAT-T on both VPN security appliances. The problem was caused by a firewall device applying Port address translation (PAT) to the source traffic between the two VPN peers. PAT breaks ESP protocol communications.
  • Page:
  • 1
Time to create page: 0.113 seconds


Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V


  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup