Solved: Re: ASA 9.2 ipsec pkts encaps is 0

Aydin Ehtibarov · ‎07-19-2023

Dear community,

we are facing the issue explained below. packets are not being encapsulated, encrypted to the IPSec tunnel on following SA

10.118.32.0 255.255.240.0 10.100.0.0 255.255.255.0

ipsec sa clearing does not fix the problem.

asa version is ASA 9.2(2)4

FW1# packet-tracer input inside icmp 10.118.32.251 8 0 10.100.0.251 det

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fffa2d5ce40, priority=13, domain=capture, deny=false

hits=1492739, user_data=0x7fffa2266270, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

input_ifc=inside, output_ifc=any

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fffa2208ab0, priority=1, domain=permit, deny=false

hits=82519006, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=inside, output_ifc=any

Phase: 3

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

in 10.100.0.0 255.255.255.0 via 188.0.129.65, outside

Phase: 4

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static aktau_networks aktau_networks destination static azersun_networks azersun_networks no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface outside

Untranslate 10.100.0.251/0 to 10.100.0.251/0

Phase: 5

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

in 10.118.32.0 255.255.255.0 inside

Phase: 6

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_in in interface inside

access-list inside_in extended permit ip 10.118.32.0 255.255.240.0 any

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fffa310ce20, priority=13, domain=permit, deny=false

hits=33658, user_data=0x7fff9e2d3f80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=10.118.32.0, mask=255.255.240.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static aktau_networks aktau_networks destination static azersun_networks azersun_networks no-proxy-arp route-lookup

Additional Information:

Static translate 10.118.32.251/0 to 10.118.32.251/0

Forward Flow based lookup yields rule:

in id=0x7fffa307efb0, priority=6, domain=nat, deny=false

hits=394641, user_data=0x7fffa2eda160, cs_id=0x0, flags=0x0, protocol=0

src ip/id=10.118.32.0, mask=255.255.240.0, port=0, tag=0

dst ip/id=10.100.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0

input_ifc=inside, output_ifc=outside

Phase: 8

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fffa1604d20, priority=0, domain=nat-per-session, deny=true

hits=14868368, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 9

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fffa2e4a150, priority=0, domain=inspect-ip-options, deny=true

hits=5320034, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 10

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fffa2109520, priority=70, domain=inspect-icmp, deny=false

hits=63772, user_data=0x7fffa2e5df90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 11

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7fffa2e49f50, priority=66, domain=inspect-icmp-error, deny=false

hits=63772, user_data=0x7fffa2115770, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0

input_ifc=inside, output_ifc=any

Phase: 12

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x7fffa184a260, priority=70, domain=encrypt, deny=false

hits=481343, user_data=0x8e5650c, cs_id=0x7fffa2d567f0, reverse, flags=0x0, protocol=0

src ip/id=10.118.32.0, mask=255.255.240.0, port=0, tag=0

dst ip/id=10.100.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=outside

Phase: 13

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static aktau_networks aktau_networks destination static azersun_networks azersun_networks no-proxy-arp route-lookup

Additional Information:

Forward Flow based lookup yields rule:

out id=0x7fffa3671050, priority=6, domain=nat-reverse, deny=false

hits=399784, user_data=0x7fffa22b1cb0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=10.118.32.0, mask=255.255.240.0, port=0, tag=0

dst ip/id=10.100.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0

input_ifc=inside, output_ifc=outside

Phase: 14

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7fff9ab1f560, priority=70, domain=ipsec-tunnel-flow, deny=false

hits=616087, user_data=0x8e5954c, cs_id=0x7fffa2d567f0, reverse, flags=0x0, protocol=0

src ip/id=10.100.0.0, mask=255.255.255.0, port=0, tag=0

dst ip/id=10.118.32.0, mask=255.255.240.0, port=0, tag=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 15

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7fffa1604d20, priority=0, domain=nat-per-session, deny=true

hits=14868370, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 16

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x7fffa2cfc970, priority=0, domain=inspect-ip-options, deny=true

hits=17030658, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0

input_ifc=outside, output_ifc=any

Phase: 17

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 26223998, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_inspect_icmp

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_inspect_icmp

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

===========================================================================

FW1# sh capture mon

2 packets captured

1: 02:04:56.656872 10.118.32.251 > 10.100.0.251: icmp: echo request

2: 02:04:58.654461 10.118.32.251 > 10.100.0.251: icmp: echo request

2 packets shown

============================================================================

Crypto map tag: crypto_map_outside_1, seq num: 2, local addr: 188.0.129.126

access-list vpn_azersun extended permit ip 10.118.32.0 255.255.240.0 10.100.0.0 255.255.255.0

local ident (addr/mask/prot/port): (10.118.32.0/255.255.240.0/0/0)

remote ident (addr/mask/prot/port): (10.100.0.0/255.255.255.0/0/0)

current_peer: 185.230.199.240

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 6417, #pkts decrypt: 6417, #pkts verify: 6417

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 188.0.129.126/500, remote crypto endpt.: 185.230.199.240/500

path mtu 1500, ipsec overhead 78(44), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: 7BAFAE72

current inbound spi : 79A4F213

inbound esp sas:

spi: 0x79A4F213 (2040853011)

transform: esp-aes-256 esp-sha-256-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }

slot: 0, conn_id: 2789376, crypto-map: crypto_map_outside_1

sa timing: remaining key lifetime (kB/sec): (4146861/24761)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x7BAFAE72 (2075111026)

transform: esp-aes-256 esp-sha-256-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }

slot: 0, conn_id: 2789376, crypto-map: crypto_map_outside_1

sa timing: remaining key lifetime (kB/sec): (3916800/24761)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

MHM Cisco World · ‎07-19-2023

clear crypto ipsec sa inactive <<- do this and then try ping again from side to side

View solution in original post

MHM Cisco World · ‎07-19-2023

seq num: 2 <<- there are two IPSec Seq for same MAP,
check the ACL for both there is conflict

Aydin Ehtibarov · ‎07-19-2023

seq number 2 is about this i think:

crypto map crypto_map_outside_1 2 match address vpn_azersun
crypto map crypto_map_outside_1 2 set pfs group14
crypto map crypto_map_outside_1 2 set peer 185.230.199.240
crypto map crypto_map_outside_1 2 set ikev2 ipsec-proposal Azersun_VPN
crypto map crypto_map_outside_1 2 set reverse-route

there is no seq number 1 there , this is first ipsec starting from seq number 2

MHM Cisco World · ‎07-19-2023

show asp table vpn-context detail

share this please

Aydin Ehtibarov · ‎07-19-2023

here it is

FW1# show asp table vpn-context detail

VPN CTX = 0x0910057C

Peer IP = 10.21.48.0
Pointer = 0xA20B97A0
State = UP
Flags = DECR+ESP+PRESERVE
SA = 0x2B1D5E89
SPI = 0xA7E77DF5
Group = 0
Pkts = 0
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

VPN CTX = 0x090FF7FC

Peer IP = 10.21.48.0
Pointer = 0xA2180C70
State = UP
Flags = ENCR+ESP+PRESERVE
SA = 0x2B1DAE8F
SPI = 0x58BEFA74
Group = 0
Pkts = 0
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

VPN CTX = 0x090FD6E4

Peer IP = 10.10.19.20
Pointer = 0xA31C0150
State = UP
Flags = DECR+ESP+PRESERVE
SA = 0x2B1C7853
SPI = 0xF810C799
Group = 0
Pkts = 0
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = vpn_azersun_gp

VPN CTX = 0x090FAE04

Peer IP = 10.10.19.20
Pointer = 0xA1844290
State = UP
Flags = ENCR+ESP+PRESERVE
SA = 0x2B1CB591
SPI = 0xFD4653A1
Group = 0
Pkts = 0
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = vpn_azersun_gp

VPN CTX = 0x090B1A1C

Peer IP = 10.100.4.0
Pointer = 0xA3100380
State = UP
Flags = DECR+ESP
SA = 0x2B092B71
SPI = 0x07527A52
Group = 0
Pkts = 7494
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = vpn_azersun_gp

VPN CTX = 0x090AFB1C

Peer IP = 10.100.4.0
Pointer = 0xA31C6420
State = UP
Flags = ENCR+ESP
SA = 0x2B099D57
SPI = 0xB420FAA2
Group = 0
Pkts = 7068
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = vpn_azersun_gp

VPN CTX = 0x090A4C94

Peer IP = 10.100.212.1
Pointer = 0xA2F8F520
State = UP
Flags = DECR+ESP
SA = 0x2B0615DF
SPI = 0x5D8CDD17
Group = 1
Pkts = 407
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = vpn_azersun_gp

VPN CTX = 0x090A2C74

Peer IP = 10.100.212.1
Pointer = 0xA22CC770
State = UP
Flags = ENCR+ESP
SA = 0x2B06F22D
SPI = 0xC887A5DE
Group = 1
Pkts = 407
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = vpn_azersun_gp

VPN CTX = 0x0909C5A4

Peer IP = 10.100.0.0
Pointer = 0xA2D67CF0
State = UP
Flags = DECR+ESP
SA = 0x2B043483
SPI = 0x79A4F213
Group = 1
Pkts = 25913
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = vpn_azersun_gp

VPN CTX = 0x0909BFC4

Peer IP = 10.100.0.0
Pointer = 0xA30106D0
State = UP
Flags = ENCR+ESP
SA = 0x2B04F601
SPI = 0x7BAFAE72
Group = 0
Pkts = 0
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = vpn_azersun_gp

VPN CTX = 0x090980CC

Peer IP = 192.168.5.20
Pointer = 0xA30B4200
State = UP
Flags = DECR+ESP
SA = 0x2B035B3D
SPI = 0x0CF9995C
Group = 2
Pkts = 132
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = vpn_azersun_gp

VPN CTX = 0x09096E8C

Peer IP = 192.168.5.20
Pointer = 0xA30F9790
State = UP
Flags = ENCR+ESP
SA = 0x2B039F33
SPI = 0x2ACB4FBB
Group = 1
Pkts = 4954
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = vpn_azersun_gp

VPN CTX = 0x09094DB4

Peer IP = 192.168.0.220
Pointer = 0xA222BAA0
State = UP
Flags = DECR+ESP
SA = 0x2B0270E7
SPI = 0x37E4A9BA
Group = 1
Pkts = 14094
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = vpn_azersun_gp

VPN CTX = 0x09093E14

Peer IP = 192.168.0.220
Pointer = 0xA3055F30
State = UP
Flags = ENCR+ESP
SA = 0x2B02A495
SPI = 0x51E6F07F
Group = 0
Pkts = 0
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = vpn_azersun_gp

VPN CTX = 0x08F85CD4

Peer IP = 192.168.5.15
Pointer = 0xA302FBB0
State = UP
Flags = DECR+ESP
SA = 0x2AB98677
SPI = 0x83873528
Group = 1
Pkts = 0
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

VPN CTX = 0x08F835B4

Peer IP = 192.168.5.15
Pointer = 0xA1DE4780
State = UP
Flags = ENCR+ESP
SA = 0x2ABA6477
SPI = 0x2A8DC3FC
Group = 1
Pkts = 180
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

VPN CTX = 0x08E5CE24

Peer IP = 172.16.77.17
Pointer = 0xA2F8F830
State = UP
Flags = DECR+ESP
SA = 0x2A68523B
SPI = 0x7A6278EA
Group = 1
Pkts = 0
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

VPN CTX = 0x08E5BA44

Peer IP = 172.16.77.17
Pointer = 0xA2C3CF30
State = UP
Flags = ENCR+ESP
SA = 0x2A694EB1
SPI = 0xD53E2EFA
Group = 1
Pkts = 14652
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

VPN CTX = 0x08E5954C

Peer IP = 10.100.0.0
Pointer = 0xA1E31070
State = UP
Flags = DECR+ESP
SA = 0x2A672435
SPI = 0xE54497C6
Group = 977
Pkts = 46
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

VPN CTX = 0x08E5650C

Peer IP = 10.100.0.0
Pointer = 0xA31A7260
State = UP
Flags = ENCR+ESP
SA = 0x2A67C0CB
SPI = 0x499B3FBF
Group = 965
Pkts = 1519994
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

VPN CTX = 0x08CE4814

Peer IP = 192.168.0.220
Pointer = 0xA2138770
State = UP
Flags = DECR+ESP
SA = 0x29E77D35
SPI = 0xEAE96334
Group = 0
Pkts = 7
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

VPN CTX = 0x08CE25F4

Peer IP = 192.168.0.220
Pointer = 0xA2150D20
State = UP
Flags = ENCR+ESP
SA = 0x29E7A5CB
SPI = 0x64A7188A
Group = 0
Pkts = 0
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

VPN CTX = 0x08A616BC

Peer IP = 10.10.19.20
Pointer = 0xA2B85B10
State = UP
Flags = DECR+ESP
SA = 0x2914A861
SPI = 0x5A53133E
Group = 0
Pkts = 0
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

VPN CTX = 0x08A5E63C

Peer IP = 10.10.19.20
Pointer = 0xA1E3B8C0
State = UP
Flags = ENCR+ESP
SA = 0x29152119
SPI = 0x210A50D0
Group = 0
Pkts = 0
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

VPN CTX = 0x08A59D4C

Peer IP = 192.168.0.220
Pointer = 0xA2227AF0
State = UP
Flags = DECR+ESP
SA = 0x2912F0F5
SPI = 0x3F0B95BB
Group = 0
Pkts = 58
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

VPN CTX = 0x08A56D0C

Peer IP = 192.168.0.220
Pointer = 0xA1DE6990
State = UP
Flags = ENCR+ESP
SA = 0x2913201D
SPI = 0x9A08785F
Group = 0
Pkts = 58
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0
VPN Filter = <none>

MHM Cisco World · ‎07-19-2023

clear crypto ipsec sa inactive <<- do this and then try ping again from side to side

Aydin Ehtibarov · ‎07-19-2023

It solved the issue. Thank you for your valuable support. Could you please share with us, what conditions lead to this result and how we can prevent this problem from happening again.

MHM Cisco World · ‎07-19-2023

First you are so welcome

Second I will share how I detect issue from info you share.