Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4513
Views
0
Helpful
6
Replies

Help: Issues adding to encryption domain IPsec Tunnel

Go to solution
jcricket31
Level 1
Level 1

‎02-06-2016 09:12 PM - edited ‎02-21-2020 08:40 PM

Good Evening All,

I am seeking help and/or advise in regards to adding more networks to the encryption domain of an existing site to site IPsec tunnel.  Both sides of the tunnel are ASA's.  The customer on the remote end is wanting access to more networks on my end.  They have already updated their crypto map ACL to include the new networks.  When they perform "show crypto IPsec sa peer x.x.x.x" it already shows encap packets attempting to reach my network. 

On my side, I updated my crypto map ACL to reference the 2 new networks, created the twice NAT, and added the necessary ACL's to allow inbound access via the ports they want.  When I perform a "show crypto IPsec sa peer x.x.x.x" the output is NOT updated with the new networks added to the encryption domain.  When I run a packet tracer sourcing from one of the servers in the new network, traffic is being translated as it should, but being dropped when it hits the outbound interface to get on the VPN tunnel. 

Am I missing something here? Do I need to bounce the tunnel in order for the new networks to be recognized in the SA?

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Diego Lopez
Level 1
Level 1

‎02-07-2016 05:34 AM

Hello,

You must bounce the tunnel whenever you modify the interesting traffic otherwise the new SA is not going to be created, is kind of funny that you say that the SA is already build at the remote side, the SA cannot be established only in one side, is like building a new tunnel if you don't have it in one side it can't just establish itself and create the entry for the SA. Besides adding the new networks and bouncing the tunnel you need to generate traffic to trigger the new SA or you will never see it created. Check your no nats and routing and it should work.

Regards, please rate.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎02-06-2016 10:27 PM

If the remote end is showing it is encrypting packets to you, but you are not showing as decrypting packets from them then the issue definitely seems to be on your end.

I guess you could try clearing the related SA, and make sure it rebuilds.  You definitely need that bit right first.

I'm not sure I can offer much more help without seeing your config and understanding the topology.

0 Helpful

Go to solution
jcricket31
Level 1
Level 1
In response to Philip D'Ath

‎02-07-2016 03:27 AM

I don't have access to the configs at the moment, but basically I have object groups "LOCAL-NETS and REMOTE-NETS" that my crypto map ACL references.  I just added the networks into the LOCAL-NETS object group.  But when I perform a "show crypto IPsec sa" its not showing the new networks.  Adding them to the crypto map should add them to the encryption domain, correct?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to jcricket31

‎02-08-2016 12:29 PM

Yes, that should add them to the encryption domain on your end.  Have you added them to any relevant NAT configuration as well (like the existing encryption domain)?

0 Helpful

Go to solution
Diego Lopez
Level 1
Level 1

‎02-07-2016 05:34 AM

Hello,

You must bounce the tunnel whenever you modify the interesting traffic otherwise the new SA is not going to be created, is kind of funny that you say that the SA is already build at the remote side, the SA cannot be established only in one side, is like building a new tunnel if you don't have it in one side it can't just establish itself and create the entry for the SA. Besides adding the new networks and bouncing the tunnel you need to generate traffic to trigger the new SA or you will never see it created. Check your no nats and routing and it should work.

Regards, please rate.

0 Helpful

Go to solution
jcricket31
Level 1
Level 1
In response to Diego Lopez

‎02-07-2016 09:07 AM

Just curious, but when the SA expires and rekey's will the new networks then be included if I don't bounce the tunnel?

I believe I have my ACL's and NAT correct, when I run a packet tracer the traffic of the new network is getting dropped when hitting the tunnel.  (which I believe will be resolved when I bounce it)

0 Helpful

Go to solution
Diego Lopez
Level 1
Level 1
In response to jcricket31

‎02-07-2016 05:53 PM

When a rekey happens the current SAs will negociate new ones I don´t think the tunnel will actually drop on every rekey.

I recently worked on a case where a new SA was not coming up while I got the configuration from the customer and I reviewed it took like 2 days all the configuration was fine but up until we manually bounced the tunnel the SA was able to establish, a couple of rekeys definitely occurred during those 2 days.

When you modify the interesting traffic you just bounce the tunnel you don´t wait for the next rekey to occur for the SA to come up but based on that experience I will say rekey wont make it. Give it a try manually dropping it an let us know. 

0 Helpful
Customers Also Viewed These Support Documents