Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
0
Helpful
1
Replies

can't encrypts but configuration matches working hosts on the encryption domain

w951duu
Level 1
Level 1

‎12-06-2010 10:44 AM

I'm stumped here, for one of my tunnels I have a subnet thats is working:

       -show crypto ipsec:

     Crypto map tag: ntelagent, seq num: 7, local addr: 64.38.3.18

      access-list VPNTunnel9 permit ip host hl7a.int6 204.145.246.0 255.255.255.0
      local ident (addr/mask/prot/port): (hl7a.int6/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (204.145.246.0/255.255.255.0/0/0)
      current_peer: 72.158.65.147

      #pkts encaps: 19, #pkts encrypt: 19, #pkts digest: 19
      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

      local crypto endpt.: 64.38.3.18, remote crypto endpt.: 72.158.65.147

Yet on the same tunnel I cannot get encrypts to a different host on the encryption domain:

     -

      access-list VPNTunnel9 permit ip host hl7a.int6 host 10.10.0.43

      local ident (addr/mask/prot/port): (hl7a.int6/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (10.10.0.43/255.255.255.255/0/0)

      current_peer: 72.158.65.147

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 323, #pkts decrypt: 323, #pkts verify: 323

      local crypto endpt.: 64.38.3.18, remote crypto endpt.: 72.158.65.147

The configurations ACL configurations are identical for the crypto map and the no-nat:

     access-list VPNTunnel9 extended permit ip host hl7a.int6 204.145.246.0 255.255.255.0

     access-list VPNTunnel9 extended permit ip host hl7a.int6 host 10.10.0.43

     access-list nonat extended permit ip host hl7a.int6 204.145.246.0 255.255.255.0

     access-list nonat extended permit ip host hl7a.int6 host 10.10.0.43

Anyone have any ideas please???  If I'm getting decrypts but no encrypts that would mean the issue is on my side, right?

Labels:
0 Helpful
1 Reply 1

rahgovin
Level 4
Level 4

‎12-06-2010 11:27 AM

See if the routing is right.In order to reach 10.10.0.43 the route should point to the crypto map interface if your config is fine otherwise. Also inbound access-lists on the LAN interface can be checked.

Captures also should show you in which direction the packet is getting dropped.

0 Helpful
Customers Also Viewed These Support Documents