cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
209
Views
0
Helpful
5
Replies

ASA to IOS router Site-to-Site VPN stopped passing traffic

acarlock
Beginner
Beginner

Everything was fine until last night.  The VPN was passing traffic just fine.  I have not made any changes to the PVN recently (I even compared the configs to weeks ago, and the VPN portions are exactly the same).  Where can I start looking?  I've restarted the remote IOS router, but I have not restarted the ASA as it serves our headquarters.  I've tried going into the ASDM/Monitoring/VPN Statistics/Sessions, right clicked the tunnel and clicked Logout to refresh the connection.  It shows that it's connected, but I can't ping the IOS router from the ASA site, or the ASA from the IOS router side, so it's not passing traffic any more.  I'm not sure what commands to run to troubleshoot or what output to look at that indicates what the problem could be.

 

Thanks for any thoughts.

-Alex

2 Accepted Solutions

Accepted Solutions

Pranay Prasoon
Participant
Participant

when you try to ping other location over VPN tunnel take output of on both router and ASA

"show crypto isakmp sa"

"show crypto ipsec sa"

 

You can also take output of

"debug crypto isakmp" and see where it fails.

 

 

View solution in original post

johnlloyd_13
Engager
Engager

hi alex,

are the two peers able to ping each other's WAN/public IP?

try to issue these commands, if still not working try to re-create the S2S VPN config.

clear crypto isakmp sa
clear crypto ipsec sa

View solution in original post

5 Replies 5

Pranay Prasoon
Participant
Participant

when you try to ping other location over VPN tunnel take output of on both router and ASA

"show crypto isakmp sa"

"show crypto ipsec sa"

 

You can also take output of

"debug crypto isakmp" and see where it fails.

 

 

Thank you for this. show crypto ipsec sa showed me what I needed to figure this out.  Someone else helped me read the output as I wasn't sure what I was looking at.  Here's what they told me:

Looking at the ASA ipsec statistics.

access-list Remote_split extended permit ip 10.0.10.0 255.255.255.0 10.0.15.0 255.255.255.0          

      #pkts encaps: 12570, #pkts encrypt: 12570, #pkts digest: 12570

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

 

Zero decrypt count indicates that there was no ESP packets coming from the router side.

 

The router statistics shows

   local  ident (addr/mask/prot/port): (10.0.15.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (10.0.10.0/255.255.255.0/0/0)

   current_peer xxx.xxx.xxx.xxx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 51717, #pkts encrypt: 51717, #pkts digest: 51717

    #pkts decaps: 51222, #pkts decrypt: 51222, #pkts verify: 51222

 

Encrypt and decrypt are both happening.

This means that the router is encrypting the reply packets and is sending.

 

From the logs so far it looks like the esp packets from the router is not reaching the ASA which might be due to a one sided ESP block.

 

I contacted our ISP and they re-set our cable modem and re-applied our static IP address.  Allowed packets to flow in both directions properly and things are working again now.

 

Thank you for pointing me in the right direction.

Great

Note:- Please mark post as answered, if this helped you to resolve the problem.

Pranay Prasoon
Participant
Participant

This is a good link to troubleshoot

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

johnlloyd_13
Engager
Engager

hi alex,

are the two peers able to ping each other's WAN/public IP?

try to issue these commands, if still not working try to re-create the S2S VPN config.

clear crypto isakmp sa
clear crypto ipsec sa

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers