Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1224
Views
0
Helpful
1
Replies

Site-to-Site packets ENCAP/DECAP with 50% packets loss problem

mysolutionscorp
Level 1
Level 1

‎12-13-2013 04:47 AM

Hello, Good Day!!

I have a problem in site-to-site VPN between Cisco 2801 router running (C2801-ADVENTERPRISEK9-M Version12.4(16))  and Cisco ASA Firewall 5515 running Version 8.6(1)2.

Problem ocurring when the phase 1 and 2  is completed and when i give the command "sh crypto ipsec sa" on cisco 2801 router it show all zeros in output: but on the other side its show packets encapsulate/decapsulate are fine on Cisco ASA.

I have matched the configuration its all fine on both end and also both endpoints are reaching with 50% packets loss.

Please assist me I am stuck with this problem :~

Cisco Router 2801Cisco firewall ASA

crypto isakmp policy 70

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

phase 1:

crypto ikev1 policy 95

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

crypto isakmp key KEY_STRING address XXX.XXX.XXXX.XXXX

crypto isakmp key KEY_STRING address XXX.XXX.XXXX.XXXX

crypto ipsec transform-set TS_STRING esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map KASBUAE 70 ipsec-isakmp

set peer XXX.XXX.XXX.XXX

set security-association lifetime seconds 28800

set transform-set TS_STRING

match address 110

crypto map outside_map 14 match address outside_cryptomap_13

crypto map outside_map 14 set peer XXX.XXX.XXX.XXX

crypto map outside_map 14 set ikev1 transform-set ESP-3DES-MD5

crypto map outside_map 14 set security-association lifetime seconds 28800

access-list 110 permit ip host 10.10.10.10 host 20.20.20.20

access-list 110 permit tcp host10.10.10.10 eq 1251 host 20.20.20.20

access-list 110 permit icmp host10.10.10.10 host 20.20.20.20

access-list outside_cryptomap_13 extended permit icmp object CISCO_ASA object CISCO_2811

___________________

access-list outside_cryptomap_13 extended permit tcp object CISCO_ASA object CISCO_2811

___________________

access-list outside_cryptomap_13 extended permit ip object

CISCO_ASA object CISCO_2811


here:

CISCO_ASA = 20.20.20.20

CISCO_2811 = 10.10.10.10

protected vrf: (none)

   local  ident (addr/mask/prot/port): (10.142.56.105/255.255.255.255/6/1251)

   remote ident (addr/mask/prot/port): (10.0.31.6/255.255.255.255/6/0)

   current_peer 212.112.188.194 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 202.44.92.18, remote crypto endpt.: 212.112.188.194

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:


Thanks & Regards,

Labels:
0 Helpful
1 Reply 1

m.kafka
Level 4
Level 4

‎12-14-2013 04:08 AM

The ipsec sa is not established (inbound esp sas: empty)

Verify that your crypt acls are mirrored (unless you know exactly what you are doing)

If in doubt run a debug on phase (deb cryp ipsec) to see whats happening.

Rgds,

MiKa

PS: if you obfuscate addresses in your pseudo-config you should also obfuscate them in your debug output.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents