Half of Site-to-Site Cisco VPN Not Passing Traffic
Resolution
Issue:
A site-to-site VPN has been set up with the paloalto firewall on one side and a Cisco ASA on the other. The VPN dropped momentarily and since it came back online, the ASA can access the PA, but the PA can't access the ASA. How can it be determined which side is causing the problem?
Resolution:
When an IPSec peer receives a packet for which it cannot find a SA, it sends an INVALID SPI error message to the VPN device which initiated the connection. In this instance the PA device received the invalid spi message, indicating that the PA device was the initiator. The logs from the responder (the ASA) will have more detail. THe ASA sent the invalid spi message, so it may have received data from the PA device that did not match any SAs that it had. This could very well mean that the ASA timed out or brought down an SA for some reason. In any case, the ASA logs should be analyzed to find out why it sent the invalid spi messages.
owner: swhyte