Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4946
Views
0
Helpful
5
Replies

ASA VPN Tunnel Phase 8 Subtype encrypt : DROP

Chewbakka1
Level 1
Level 1

‎12-09-2019 10:02 AM - edited ‎02-21-2020 09:45 AM

Hi,

I have set up a new VPN tunnel to a remote site, but the tunnel will not come up.

Running packet-tracer shows that the tunnel is failing with:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop

 

I have checked that the access-lists(encryption domain) matches.

I have checked that the return traffic matches the same nat rule as for outgoing traffic.

 

Any ideas what could be the cause for this?

I suspect this could be that the firewall does not have the source network directly connected, and that is why packet tracer cannot source the traffic correctly.

1 person had this problem
0 Helpful
5 Replies 5

Chewbakka1
Level 1
Level 1

‎12-09-2019 02:36 PM

When the source subnet,subject to encryption is not directly connected, is it necessary to include the directly connected subnet in the access-list as well?

0 Helpful

Sheraz.Salim
VIP
VIP
In response to Chewbakka1

‎12-09-2019 02:42 PM

show your configuration otherwise its really hard to say what causing the issue.

please do not forget to rate.
0 Helpful

Chewbakka1
Level 1
Level 1
In response to Sheraz.Salim

‎12-10-2019 08:05 AM

Digging further into the logs i found this:

Local:0.0.0.0:0 Remote:0.0.0.0:0 Username:Unknown IKEv2 SA request rejected by CAC. Reason: IN-NEGOTIATION SA LIMIT REACHED

 

 

0 Helpful

gerald.scott
Level 1
Level 1
In response to Chewbakka1

‎12-10-2019 09:25 AM

You may have found this already, but it seems like you're hitting this bug:

 

ASA IKEv2:L2L tunnel failing with IN-NEGOTIATION SA LIMIT REACHED
CSCug95008
 
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCug95008
0 Helpful

Chewbakka1
Level 1
Level 1
In response to gerald.scott

‎12-11-2019 02:09 AM

yes, lovely

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card