Everything was fine until last night. The VPN was passing traffic just fine. I have not made any changes to the PVN recently (I even compared the configs to weeks ago, and the VPN portions are exactly the same). Where can I start looking? I've restarted the remote IOS router, but I have not restarted the ASA as it serves our headquarters. I've tried going into the ASDM/Monitoring/VPN Statistics/Sessions, right clicked the tunnel and clicked Logout to refresh the connection. It shows that it's connected, but I can't ping the IOS router from the ASA site, or the ASA from the IOS router side, so it's not passing traffic any more. I'm not sure what commands to run to troubleshoot or what output to look at that indicates what the problem could be.
Thanks for any thoughts.
Solved! Go to Solution.
Thank you for this. show crypto ipsec sa showed me what I needed to figure this out. Someone else helped me read the output as I wasn't sure what I was looking at. Here's what they told me:
Looking at the ASA ipsec statistics.
access-list Remote_split extended permit ip 10.0.10.0 255.255.255.0 10.0.15.0 255.255.255.0
#pkts encaps: 12570, #pkts encrypt: 12570, #pkts digest: 12570
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
Zero decrypt count indicates that there was no ESP packets coming from the router side.
The router statistics shows
local ident (addr/mask/prot/port): (10.0.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)
current_peer xxx.xxx.xxx.xxx port 500
#pkts encaps: 51717, #pkts encrypt: 51717, #pkts digest: 51717
#pkts decaps: 51222, #pkts decrypt: 51222, #pkts verify: 51222
Encrypt and decrypt are both happening.
This means that the router is encrypting the reply packets and is sending.
From the logs so far it looks like the esp packets from the router is not reaching the ASA which might be due to a one sided ESP block.
I contacted our ISP and they re-set our cable modem and re-applied our static IP address. Allowed packets to flow in both directions properly and things are working again now.
Thank you for pointing me in the right direction.