IPSec Channel created, VLAN has stopped working
-
So I created a new site-site IPSec channel between two of my offices (1&2)
Office 1 has an ASA5505.
Office 2 has PFsense VLAN3 to connect to Office1
Office 3 has PFsense (this IPsec site-site channel has been functioning fine for a long time)Office 2 the channel seems to come up ok as verified by by checking the IPsec status of the link.
However the VLAN3 subnet which I selected in Phase2 entry to go through the tunnel has stopped functioning completely ie no internet, can't ping the VLAN3 gateway etc. Also I can't ping hosts in Office1 through the channel. Disconnecting or disabling the IPSec channel doesn't bring VLAN3 back to life. Other VLANs in Office 2 are unaffected but they weren't selected as a Phase 2 entry.
Does anyone have an idea where I should start checking why VLAN3 has stopped functioning?
So far I have tried - restarting the IPsec service, restart the FW, change the Phase2 Local network from VLAN3subnet to a network with the same IP range.I don't recall having this issue when I setup Office 3 a couple of years ago.
Any help appreciated. Thank you.
-
We'll need to know more specifics, such as the exact IPsec Phase 2 settings, VLAN3 interface settings, VLAN3 firewall rules, and so on.
-
Hello Jimp,
This is a fresh build for a new office, so there aren't many FW rules as yet.Ā The IPsec S/S channel is essentially a copy of the Office3 stable IPsec S/S link, so nothing really exciting to see there.
VLAN3 has no specific host/port allow rules
Block rules to other VLANS/interfaces.
Allow all rule for internet.VLAN3 is on LAGG0 along with 2 other VLANs (LAGG0 is 2x10GbE interfaces).
After stuffing around for another hour or so I gave up and rebuilt the unit from scratch last night.
I don't know what is going on but everything works fine this time aroundā¦ I've compared the config.xml files and they are identical.
The problem is fixed but the issue is unresolved, guess we will never know.