09-11-2008 11:03 AM - edited 03-11-2019 06:43 AM
Hello,
I had a working vpn configuration between a local and a remote router; the remote router is not under my administration.
Now I moved the vpn termination from my side to an ASA5540 software version 8.0(3). The tunnel is up but there is no reachability. The "show crypto ipsec sa" on the ASA shows encapsulated packets but NO decapsulated packets! Routing and no_nat are properly configured.
Any idea?
Many thanks.
09-11-2008 11:09 AM
without seeing the other side, i suspect a routing issue there.
does "not under my administration" mean no one there can get on the phone and work the issue with you?
Thanks,
Joe
09-11-2008 11:21 AM
Hi Joe,
They didn't change anything from there side! It was fully working exactly before I've migrated to the ASA!
09-11-2008 11:34 AM
Have you used the packet tracer feature in the ASDM?
I would run a packet from source to destination using your adsm and see if it is fully going out as planned.
I suspect a stale xlate on the firewall, perhaps the other side that didnt change is hearing a different source that it wants?
Another option to consider is since the other side is using IOS (right?) they may be using GRE/IPSEC of some type and need to re-config to work with the ASA.
-Joe
09-11-2008 11:54 AM
09-11-2008 11:57 AM
on the asa do you have the command...
sysop connection permit-ipsec
?
09-11-2008 12:03 PM
yeah: sysopt connection permit-vpn ( there is no permit-ipsec)
09-11-2008 12:12 PM
For traffic that enters the security appliance through a VPN tunnel and is then decrypted, the sysopt connection permit-vpn command in global configuration mode to allow the traffic to bypass interface access lists.
can you do some debug on the ASA.
debug crypto ipsec and debug crypto isakmp and send us the output
francisco
09-11-2008 12:18 PM
try "no crypto isakmp nat-traversal"
francisco
09-11-2008 12:21 PM
09-11-2008 12:27 PM
try from global"clear crypto ipsec sa" and "clear xlate". Also get them to do the same on the other side.
do a continous ping to the other side
09-11-2008 12:30 PM
going back over the notes your provided;
see the issue now?
DE-DC-INT-FW01# show crypto ipsec sa
Crypto map tag: IPSec-VPN, seq num: 40, local addr: 213.184.187.98
and now...
interface GigabitEthernet0/1
description $ES_WAN$$FW_OUTSIDE$
bandwidth 1000
ip address 213.184.187.98 255.255.255.240
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1200
crypto map VPN
so, my question,
what is in front of the asa, and does it arp reach the ASA to get to 213.184.187.98?
where does the ASA has this addr config'd?
-Joe
09-11-2008 12:33 PM
the 213.184.187.98 was the ip address of the outside interface of the router, now the router is removed and the same ip is configured on the outside interface of the ASA.
09-11-2008 12:36 PM
I noticed you dont have crypto isakmp enable [Inside Interface]
09-11-2008 12:37 PM
the vpn is terminated on the outside interface, so there is no need for isakmp on the inside, right?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide