IPSec - No packets are encryp but decryp

Muhammad Rafi · ‎10-14-2014

Hi All,

I am having issue with one of the IPSec tunnel, I have tried every thing I could but the phase of IPSec is not encrypting or encapsulating, however doing the decryption and decap with no issue, so traffic pretty much looks like unidirectional now, I have checked the configure almost 5 times but I cannot see any issue in the configs on both ends either, so here is the scenario.

Lets say, Site A is NYC and and Site B is Sydney

Site A is connected to Site B via IPSec and some other Sites but,

Site B is encrypting and encapsulating the traffic but not Site A

Site A is decrypting and encapsulation the traffic but not Sire B

Please let me know if any troubleshooting step you may think, will be useful,

Funny thing is, when I do the packet tracer for the ICMP or TCP/UDP between the hosts on both sides, they result is always allowed, but when I ping from the one host to another or RDP, it never worked. :(

Any help would be really appreciated.

let me know if you need to verify the config first, before making a comment

Thanks

M

Karsten Iwen · ‎10-14-2014

A typical config-mistake that shows this symptom is to have NAT-exemption done wrong. In Packet-tracer this can also result in an "allow", but if you look at the details you see that the traffic is natted and the VPN-section in packet-tracer is not hit.

Double-check that the traffic uses the right NAT-rule and that after NAT the source-address still matches your crypto-definition of the tunnel.

Muhammad Rafi · ‎10-14-2014

Thanks for the reply, I faced that NAT issue before but it was with the 9.0 ASA version which has before or after auto thing, but here I am using the ASA both below 8.3 versions

which has No NAT rules and I added the access-list along with the current one. but yeah let me check again.

thanks

Muhammad Rafi · ‎10-14-2014

No dude, I have checked every thing on the NAT side and even I lined up all the access rule into the numerical order for nat 0 access list but nothing made any difference, I created another, just to verify and the new tunnel has the same issue...so the issue is in Sydney, but this is the who is encrypting and encapsulating but not decryp and decap.

any idea ?

Karsten Iwen · ‎10-14-2014

can you show the counters from "sh vpn-sessiondb det l2l" of both boxes? And what's the output of packet-tracer on the device that doesn't encrypt for traffic matching the tunnel?

Muhammad Rafi · ‎10-15-2014

Thanks Karten,

But issue has now been resolved by upgrading the Site A from Version 8.2(1) to Version 8.2(5)

I have no idea how did it happen, or was there any bug with 8.2(1) that was causing the issue but one of my colleague did the upgrade and tunnel came back up.

The issue other with the other firewall was because of two interesting traffic going across on the same location with the redundant IP which is no longer exist, so as soon as we delete the redundant one, tunnel came back up.

Let me know your thought on this please, what do you think ?

Jouni Forss · ‎10-15-2014

Hi,

This is a bug in the 8.2(1) software atleast and possibly some other maintanance releases of the 8.2.

We have had this happen on 3 different VPN platforms in the past. The issue simply is that the ASA stops encrypting traffic but the decrypted traffic from the remote host/site will continue to come through the VPN normally.

I don't have the bug ID at hand but I could try and take a look if I can find it.

- Jouni