show cry ipsec sa peer x.x.x.x

peer address: x.x.x.x
    Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x

      access-list outside_1_cryptomap extended permit ip 10.110.0.0 255.255.254.0 any
      local ident (addr/mask/prot/port): (10.110.0.0/255.255.254.0/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 74.118.144.20

      #pkts encaps: 84167611, #pkts encrypt: 83815573, #pkts digest: 83815575
      #pkts decaps: 82983265, #pkts decrypt: 82983261, #pkts verify: 82983261
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 84167614, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 7865, #pre-frag failures: 359886, #fragments created: 15730
      #PMTUs sent: 359886, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 1, #recv errors: 2

      local crypto endpt.: 4.14.16.134, remote crypto endpt.: 74.118.144.20

      path mtu 1400, ipsec overhead 74, media mtu 1500
      current outbound spi: B60AA40D
      current inbound spi : E70E807A

    inbound esp sas:
      spi: 0xE70E807A (3876487290)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 5, }
         slot: 0, conn_id: 135168, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (2930383/24654)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xB60AA40D (3054150669)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 5, }
         slot: 0, conn_id: 135168, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3554141/24654)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Hi Charlie,

Seems like an AMAZON tunnel config  :)

Anyways could you provide the following debugs:

debug sla monitor trace
debug sla monitor error

Use undebug all to stop the debugs.

Regards,

Aditya

No idea what you mean by the AMAZON tunnel config, but I'll take your word for it.

I see this in the logs.
6|Apr 21 2016 09:46:07|110003: Routing failed to locate next hop for icmp from NP Identity Ifc:10.110.0.1/0 to inside:10.170.14.51/0

yet the system is reachable.

Hi Charlie,

Do you have Management-access inside command configured ?

Regards,

Aditya

Yes sir.

'management-access inside'

Hi,

Please share the show version of the ASA.

8.2(5)

Hi Charlie,

I think this may not work as there is already an enhancement request filed for this :

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtn29607/?reffering_site=dumpcr

Regards,

Aditya

Please rate helpful posts.

Hi Charlie,

I would request to close the discussion in case your query has been answered.

Regards,

Aditya

Yes. Thanks. I'm looking into the link you posted.

show run sla mon
sla monitor 100
 type echo protocol ipIcmpEcho 10.170.14.51 interface inside
 timeout 300
 frequency 3
sla monitor schedule 100 life forever start-time now

Neither.

I have a basic default route pointing to my ISP, and all traffic except the tunnel itself is forwarded by the tunnel to the remote side.

The system in question is reachable.