12-03-2013 07:16 PM - edited 03-07-2019 04:54 PM
Hello Experts,
We have a Site to site VPN set up to client and a new IP 67.22.X.X is been added over the VPN tunnel recently at both the sides. i do see successfull Phase 2 tunnel up for the 67.22.X.X
but the encry/encaps are not incrementing over the tunnel if i generate a traffic via Packet-tracer.Unfortunately, i couldnt generate traffic from 67.22.X.X as it is a printer.But client says they do see the traffic Leaving their side tunnel when they try to access Printer(67.22.X.X) but i donot see anything on my side.
Kindly, help me on this.
-ASAVPN201A# packet-tracer input Inside icmp 10.224.128.88 8 0 170.23.X.X
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.224.128.88 obj-67.22.X.X destination static XX_REMOTE XX_REMOTE description
Additional Information:
Static translate 10.224.128.88/0 to 67.22.X.X/0
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 409065573, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
-ASAVPN201A#
-ASAVPN201A# sh crypto ipsec sa peer 170.232.X.X | beg 67.22.X.X
access-list outside_cryptomap_520 extended permit ip host 67.22.X.X host 170.23.X.X
local ident (addr/mask/prot/port): (67.22.X.X/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (170.23.X.X/255.255.255.255/0/0)
current_peer: 170.23.X.X
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 67.223.63.1/0, remote crypto endpt.: 170.232.32.14/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: DE0F8FBD
current inbound spi : 3F762BC5
inbound esp sas:
spi: 0x3F762BC5 (1064709061)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 244334592, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28554)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xDE0F8FBD (3725561789)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 244334592, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28554)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
12-03-2013 07:24 PM
Kindly, advice with your valuable inputs.
12-04-2013 09:27 PM
Kindly, advice experts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide