We have ipsec VPN which is terminat on ASA. Around 200 tunnel are terminating on ASA.
ip =1.1.1.X These remote site PEER IP is 1.1.1.X
Some times we unable to reach from remote site to ASA (HUB) IP and Gateway of HUB is reachable. When we change the Remote site IP. its reachable.
This happen for sometime for multiple remote site. i discuss with cisco TAC. they say ISP is Block . I don't think ISP is blocking. I think something happening with HUB ASA.
I did may time Clear Arp on Remote and HUB ASA. But not reachale. This happened for only for HUB ASA IP (1.1.1.X).
PLEASE suggest if someone FACED same issue
Thanks & Regards
HUB ASA gateway is 1.1.1.Y and from spoke i am able to ping 1.1.1.Y. but not able to ping 1.1.1.x. There is not any ICMP restriction on HUB ASA using command icmp. this is happens for some site.
are you able to ping 1.1.1.y from the HUB ASA ?
if you do, the problem is probably with routing table ?
do you have dual ISP ?
you can enable debug for ICMP using the command.
debug icmp trace 50
after debugging, do a continuous ping from the spoke, and see if the packer is getting to the ASA.
from hub asa i am able to ping 1.1.1.y. There is only one ISP. Debug i can not do it. its datacenter firewall.
Sometime i found. tunnel is up. but from spoke i am not able to HUB ASA IP.