Re: Site to Site VPN cant ping

jaggallagher · ‎04-01-2022

I have setup a site to site vpn up between a Cisco ASA 5508-x and a Cisco ISR 4531. The tunnel is showing up but I cannont ping between the tunnels. When I ping it goes out one hop and then I get the !N.

here is some show commands from the ASA and Router.

ciscoasa(config)# sho crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 38.120.64.40
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

ciscoasa(config)# show crypto ipsec sa peer 38.120.64.40
peer address: 38.120.64.40
Crypto map tag: outside_map0, seq num: 1, local addr: 156.14.172.165

access-list outside_cryptomap_1 extended permit ip 192.168.0.0 255.255.0.0 172.22.0.0 255.255.0.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (172.22.0.0/255.255.0.0/0/0)
current_peer: 38.120.64.40

#pkts encaps: 792, #pkts encrypt: 792, #pkts digest: 792
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 792, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 156.14.172.165/0, remote crypto endpt.: 38.120.64.40
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F9D57733
current inbound spi : 67814DAE

inbound esp sas:
spi: 0x67814DAE (1736527278)
SA State: active
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 5241, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4374000/1649)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xF9D57733 (4191516467)
SA State: active
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 5241, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4373956/1649)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ciscorouter#sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
38.120.64.40 156.14.172.165 QM_IDLE 16243 ACTIVE

IPv6 Crypto ISAKMP SA

ciscorouter#show crypto ipsec sa peer 156.14.172.165

interface: GigabitEthernet0/0/1
Crypto map tag: SDM_CMAP_1, local addr 38.120.64.40

protected vrf: (none)
local ident (addr/mask/prot/port): (38.120.64.40/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (156.14.172.165/255.255.255.255/0/0)
current_peer 156.14.172.165 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 3888, #recv errors 0

local crypto endpt.: 38.120.64.40, remote crypto endpt.: 156.14.172.165
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (172.22.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
current_peer 156.14.172.165 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 23724, #pkts decrypt: 23724, #pkts verify: 23724
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 38.120.64.40, remote crypto endpt.: 156.14.172.165
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0xA7CCC336(2815214390)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x4FF06DF5(1341156853)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2337, flow_id: ESG:337, sibling_flags FFFFFFFF80000048, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4607970/3067)
IV size: 8 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xA7CCC336(2815214390)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2338, flow_id: ESG:338, sibling_flags FFFFFFFF80000048, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4608000/3067)
IV size: 8 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

traceroute from router to network on the ASA

ciscorouter#traceroute 192.168.2.24
Type escape sequence to abort.
Tracing the route to (192.168.2.24)
VRF info: (vrf in name/id, vrf out name/id)
1 gi0-0-0-11.rcr11.ilg01.atlas.cogentco.com (338.120.64.39) 1 msec 2 msec 1 msec
2 be2039.rcr21.phl01.atlas.cogentco.com (154.24.5.49) !N * *

Rob Ingram · ‎04-01-2022

@jaggallagher don't test from the router or ASA itself.

Test from a device behind the VPN devices, from an IP address that is defined in the interesting traffic crypto ACL.

If you have NAT rules defined, check to ensure you have NAT exemption rules to ensure traffic is not unintentially translated.

MHM Cisco World · ‎04-01-2022

ISR router, decrypt but not encrypt!!

If you have config dynamic nat in outside of ISR router then you must deny traffic pass through ipsec from dynamic nat.