Hello Experts,

We have a Site to site VPN set up to client and a new IP 67.22.X.X is been added over the VPN tunnel recently at both the sides. i do see successfull Phase 2 tunnel up for the 67.22.X.X 

but the encry/encaps are not incrementing over the tunnel if i generate a traffic via Packet-tracer.Unfortunately, i couldnt generate traffic from 67.22.X.X as it is a printer.But client says they do see the traffic Leaving their side tunnel when they try to access Printer(67.22.X.X) but i donot see anything on my side.

Kindly, help me on this.

-ASAVPN201A# packet-tracer input Inside icmp 10.224.128.88 8 0 170.23.X.X

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.224.128.88 obj-67.22.X.X destination static XX_REMOTE XX_REMOTE description
Additional Information:
Static translate 10.224.128.88/0 to 67.22.X.X/0

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 409065573, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

-ASAVPN201A#

-ASAVPN201A# sh crypto ipsec sa peer 170.232.X.X | beg 67.22.X.X
      access-list outside_cryptomap_520 extended permit ip host 67.22.X.X host 170.23.X.X
      local ident (addr/mask/prot/port): (67.22.X.X/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (170.23.X.X/255.255.255.255/0/0)
      current_peer: 170.23.X.X

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 67.223.63.1/0, remote crypto endpt.: 170.232.32.14/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: DE0F8FBD
      current inbound spi : 3F762BC5

    inbound esp sas:
      spi: 0x3F762BC5 (1064709061)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 244334592, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/28554)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xDE0F8FBD (3725561789)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 244334592, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/28554)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001