We have a bit of a strange one that's been ongoing for two days. A warehouse in Africa is down for several days now and the third party does not see our IKE traffic arriving on their ASA. We have pretty much done everything we can, even captured the traffic leaving our edge firewall. Their packets make it to ours, and we respond fine and see that leaving as well. Pings from us to them do get through as well. They are running 8.2(1). Anyone ever seen this sort of behavior?
I've asked them to verify or capture on their internet provider's CPE but I'm not sure how long that will take...
Exactly what I would guess: CPE of the provider. Is it behind a NAT?
It shouldn't be, they have a public IP on their outside interface. We agreed that they would span the CPE interface on the switch for a minute or so.
On our end, we are behind NAT, but this is working fine for us, with and without NAT-T, and we have 30+ tunnels without issues. We did have our share of bugs with the SRX but none so far with the latest JunOS version. And we also verify our packets going out to the ISP so my guess is either the ASA is glitching or it gets dropped on the internet.
I've run into issues in the past with sites in Asia and South America using Cisco ASA's. All the ISP's swore they weren't blocking IPsec packets. Each continent had a hub site but if it wasn't turned up yet we would connect the backups back to the US to our main DC. For some of sites the packets would never make it the rmeote sites but you could see ICMP hitting from the DC constantly. We also ran into the same issue with SSH not working and had to use Telnet from the US. We were less than pleased. We ended up having to tunnel to another site in country or at a few sites no backup tunnel at all.
It is very strange, I've received the pcap file now from in front of their FW and they are not getting anything back from us. Looking at the providers now, I need confirmation our IKE is crossing the router and what other providers are between us.
So both ends logged tickets with their ISPs and Thursday evening it magically started working again. We did some looking glass and there was only one AS between our and their ISP. Our provider says that they have been troubleshooting with the intermediate NOC and that they both saw the traffic getting through and they suspect it was the local ISP. They haven't provided any feedback in writing though. No surprise, the local ISP claims they haven't changed anything so this is now turning into politics...
One of them is...
:vendors:
Because the other one is...
:mssql: