Re: there is no traffic pass through ipsec site-to-site tunnel until or unless I clear crypto ipsec ...

animesh.mishra · ‎05-10-2018

Hi Experts,

Having issue with one tunnel only in ASA5516 Version 9.5(2).

At moment, I recived a call from helpdesk that its again stop working please do something then I do timely clear the ipsec peer and then it start working.

What I inspect,

1. when I type show vpn-sess l2l, that peer Bytes RX : stucked while Bytes TX : Keep Changing.

2. When I clear both TX/RX become zero.

Please help.

AlexPi · ‎05-12-2018

Hello Animesh,

If the receive side stops and the transmit continues, I would suspect that there are two routes coming in to that IP where you have the specific IPSEC tunnel configured. So traffic establishes through the correct route and then for some reason it goes through another, at which point you stop receiving traffic on the specific IPSEC tunnel, when the latter occurs you are in a situation of asymmetric route.

Note that this is an issue that can have other causes as well, but from the information you provided I would check the routing tables, on both sides of the tunnel, to begin with and try to establish that there is only one route for the specific traffic.

Hope that helps.

------------------------------------------------------------------
If this was helpful, please vote as helpful by clicking on the star icon below.
-------------------------------------

Florin Barhala · ‎05-14-2018

Interesting assumption, I am curious about it.
@animesh.mishra can you post the relevant VPN config and routing?

Thanks!

there is no traffic pass through ipsec site-to-site tunnel until or unless I clear crypto ipsec sa peer IP