Re: ASA VPN Tunnel Phase 8 Subtype encrypt : DROP

Chewbakka1 · ‎12-09-2019

Hi,

I have set up a new VPN tunnel to a remote site, but the tunnel will not come up.

Running packet-tracer shows that the tunnel is failing with:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop

I have checked that the access-lists(encryption domain) matches.

I have checked that the return traffic matches the same nat rule as for outgoing traffic.

Any ideas what could be the cause for this?

I suspect this could be that the firewall does not have the source network directly connected, and that is why packet tracer cannot source the traffic correctly.

Chewbakka1 · ‎12-09-2019

When the source subnet,subject to encryption is not directly connected, is it necessary to include the directly connected subnet in the access-list as well?

Sheraz.Salim · ‎12-09-2019

show your configuration otherwise its really hard to say what causing the issue.

please do not forget to rate.

Chewbakka1 · ‎12-10-2019

Digging further into the logs i found this:

Local:0.0.0.0:0 Remote:0.0.0.0:0 Username:Unknown IKEv2 SA request rejected by CAC. Reason: IN-NEGOTIATION SA LIMIT REACHED

gerald.scott · ‎12-10-2019

You may have found this already, but it seems like you're hitting this bug:

ASA IKEv2:L2L tunnel failing with IN-NEGOTIATION SA LIMIT REACHED

CSCug95008

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCug95008

Chewbakka1 · ‎12-11-2019

yes, lovely