06-13-2017 11:04 AM - last edited on 03-12-2019 04:28 AM by NikolaIvanov
Site-to-site VPN from Cisco ASA and Fortnet firewall is up but can't ping the each other.
Any suggestion? The problem is with PEER: 47.44.163.253
Result of the command: "show crypto isakmp sa"
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 207.236.213.66
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 47.44.163.253
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Result of the command: "show crypto ipsec sa"
interface: backup_isp
Crypto map tag: backup_isp_map6, seq num: 1, local addr: 47.44.163.130
access-list backup_isp_cryptomap_3 extended permit ip 172.16.0.0 255.255.0.0 172.18.0.0 255.255.0.0
local ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (172.18.0.0/255.255.0.0/0/0)
current_peer: 47.44.163.253
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 2, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 2
local crypto endpt.: 47.44.163.130/0, remote crypto endpt.: 47.44.163.253/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 6F394BAA
current inbound spi : 107D4E11
inbound esp sas:
spi: 0x107D4E11 (276647441)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 4231168, crypto-map: backup_isp_map6
sa timing: remaining key lifetime (kB/sec): (3915000/25642)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x6F394BAA (1866025898)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 4231168, crypto-map: backup_isp_map6
sa timing: remaining key lifetime (kB/sec): (3914999/25642)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: backup_isp_map6, seq num: 4, local addr: 47.44.163.130
access-list backup_isp_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.192.0 255.255.224.0
local ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.192.0/255.255.224.0/0/0)
current_peer: 207.236.213.66
#pkts encaps: 1440992, #pkts encrypt: 1440992, #pkts digest: 1440992
#pkts decaps: 1301545, #pkts decrypt: 1301545, #pkts verify: 1301545
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1440992, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 47.44.163.130/0, remote crypto endpt.: 207.236.213.66/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: E96E96F7
current inbound spi : B8B96408
inbound esp sas:
spi: 0xB8B96408 (3099157512)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: backup_isp_map6
sa timing: remaining key lifetime (kB/sec): (3905289/16758)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xE96E96F7 (3916338935)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 4096, crypto-map: backup_isp_map6
sa timing: remaining key lifetime (kB/sec): (3912710/16758)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
06-13-2017 07:45 PM
Check your NAT configuration.
06-14-2017 02:57 PM
I enabled and disabled NAT exempt and it's working now.
Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: