cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

2057
Views
0
Helpful
7
Replies
Highlighted
Beginner

Site to Site VPN packet decryption count 0

Hi,

I have issue with ipsec vpn between Cisco 1841 & Cisco asa5500, packets are getting encrypt on both end but both end the decrypt count is 0, kindly let me know what could be the possible reasons for this issue.

Karthik S
7 REPLIES 7
Mentor

Site to Site VPN packet decryption count 0

Hi,

Are you saying that on the end that start creating traffic to the remote end you can see "encrypted" packets AND on the remote end you can see both "decrypted" and "encrypted" packets?

If that is the case it would seem really wierd because I can't see a reason why the traffic already "encrypted" on the remote end wouldnt arrive to the other end.

Though I had a similiar situation once but it wasnt solved then and it was related to something totally different that you are doing.

Could you perhaps share with us the "show crypto ipsec sa peer x.x.x.x" from both ends of the L2L VPN for us to see the counters?

I would also look into NAT configurations that they are configured correctly.

- Jouni

Beginner

Site to Site VPN packet decryption count 0

Hi JouniForss,

FYI

Branch_VPN#sh cry ipsec sa

interface: FastEthernet0/0

    Crypto map tag: CMAP, local addr 202.191.X.X

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.22.2.128/255.255.255.128/0/0)

   remote ident (addr/mask/prot/port): (10.154.134.32/255.255.255.240/0/0)

   current_peer 203.91.X.X port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 366, #pkts encrypt: 366, #pkts digest: 366

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 4, #recv errors 0

     local crypto endpt.: 202.191.X.X, remote crypto endpt.: 203.91.X.X

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0xF7671ADA(4150729434)

     inbound esp sas:

      spi: 0x70BF1ABE(1891572414)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 3001, flow_id: FPGA:1, crypto map: CMAP

        sa timing: remaining key lifetime (k/sec): (4500951/3013)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xF7671ADA(4150729434)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 3002, flow_id: FPGA:2, crypto map: CMAP

        sa timing: remaining key lifetime (k/sec): (4500947/3013)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Branch_VPN#

HQ-ASA#Show crypto ipsec sa

Crypto map tag: S2S, seq num: 590, local addr: 203.91.X.X

      access-list Branch-S2S extended permit ip 10.154.134.32 255.255.255.240 172.22.2.128 255.255.255.128

      local ident (addr/mask/prot/port): (10.154.134.32/255.255.255.240/0/0)

      remote ident (addr/mask/prot/port): (172.22.2.128/255.255.255.128/0/0)

      current_peer: 202.191.X.X

      #pkts encaps: 66, #pkts encrypt: 66, #pkts digest: 66

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 66, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 203.91.X.X, remote crypto endpt.: 202.191.X.X

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 70BF1ABE

      current inbound spi : F7671ADA

    inbound esp sas:

      spi: 0xF7671ADA (4150729434)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 6025216, crypto-map: S2S

         sa timing: remaining key lifetime (kB/sec): (4374000/3155)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x70BF1ABE (1891572414)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 6025216, crypto-map: S2S

         sa timing: remaining key lifetime (kB/sec): (4373993/3155)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

HQ-ASA#

Karthik S
Mentor

Site to Site VPN packet decryption count 0

Does seem really strange.

I would expect that if I can see the L2L VPN coming up and traffic getting encrypted that it would also be visible on the remote end as "decrypted" since its already tunneled traffic.

Have you tried for example watching the ASDM real time logs on the ASA while testing traffic from the Branch site? If the logs would show anything related to this problem.

Usually when the L2L VPN negotiations go through and packets get encrypted/encapsulated you should see something on the remote end even though the connection attempts didnt pass the remote end device completely.

- Jouni

Beginner

Site to Site VPN packet decryption count 0

I have done the debug crypto ipsec with level 200 but not able to see any logs the same at router end also. my ASA version is 8.2.5, router version is also upgraded from 12.4 13f to 12.4 25G still the same issue.

Karthik S
Contributor

Site to Site VPN packet decryption count 0

Looks like smth filtering esp traffic between sites. I mean connection gets established, but actual encrypted traffic is dropped somewhere between/

Beginner

Site to Site VPN packet decryption count 0

Hi Kartik,

Can you please ensure that nat traversal is turned on on firewall.

Please issue the following commands on asa(it's on by default on router)

config t

cry isa nat-t

bounce the tunnel once and check if that fixes up the issue.

Regards,

~Harry

Beginner

Site to Site VPN packet decryption count 0

nat traversal is already enabled, any suggestion?

Karthik S
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here