cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
882
Views
5
Helpful
3
Replies

IPSEC issue between ASA 5505 and Router

sfanayei
Level 1
Level 1

Hi everyone

I am trying a to establish IPSEC ikev1 tunnel mellem a ASA with default parameters and Cisco router. When I ping from both side of LAN behinde ASA or the router the tunnel comes up. Both phase 1 and 2 compleated.
But output "show crypto IPSEC sa" shows that only pckts become encrp and counter increasing but not decro pckt counter. This behave goes for both side of tunnels.
What can be wroung? I copied output of output show crypto IPSEC sa for both ASA and Crouter.
I appreciate any help.

OUTPUT on Cisco router:

protected vrf: A-TRANS-2
local ident (addr/mask/prot/port): (10.245.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.68.3.0/255.255.255.0/0/0)
current_peer 9*.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1*.x.x.x, remote crypto endpt.: 9*.x.x.x
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x80228938(2149747000)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x27D63456(668349526)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4529, flow_id: ESG:2529, sibling_flags FFFFFFFF80004048, crypto map: s2s
sa timing: remaining key lifetime (k/sec): (4608000/3584)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x80228938(2149747000)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4530, flow_id: ESG:2530, sibling_flags FFFFFFFF80004048, crypto map: s2s
sa timing: remaining key lifetime (k/sec): (4607998/3584)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

---------------

OUTPUT on ASA:

Crypto map tag: outside_map0, seq num: 1, local addr: 9*.x.x.x

access-list outside_cryptomap_2 extended permit ip 10.68.3.0 255.255.255.0 10.245.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.68.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.245.0.0/255.255.0.0/0/0)
current_peer: 1*.x.x.x


#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 9*.x.x.x/0, remote crypto endpt.: 1*.x.x.x/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 189E3E1A
current inbound spi : 29A10488

inbound esp sas:
spi: 0x29A10488 (698418312)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 303104, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4374000/3557)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x189E3E1A (413023770)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 303104, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4373999/3502)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ciscoasa#

1 Accepted Solution

Accepted Solutions

Check if you have a symmetric routing. Seems that traffic is going over VPN
and returning through different path.

get traceroute from each lan to the other lan

View solution in original post

3 Replies 3

Check if you have a symmetric routing. Seems that traffic is going over VPN
and returning through different path.

get traceroute from each lan to the other lan

Hi

Traceroute from both side shows that packets are arriving in right device. 

It was actually a symmetric routing in customer ISP infrastrcture that caused the problem, but they have not solved it yet. And way many tank, It was pointed out in the right direction !!
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: