Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2997
Views
0
Helpful
7
Replies

Site to Site VPN packet decryption count 0

CSCO11520436
Level 1
Level 1

‎02-03-2013 09:16 AM

Hi,

I have issue with ipsec vpn between Cisco 1841 & Cisco asa5500, packets are getting encrypt on both end but both end the decrypt count is 0, kindly let me know what could be the possible reasons for this issue.

Karthik S
Labels:
0 Helpful
7 Replies 7

Jouni Forss
VIP Alumni
VIP Alumni

‎02-03-2013 09:24 AM

Hi,

Are you saying that on the end that start creating traffic to the remote end you can see "encrypted" packets AND on the remote end you can see both "decrypted" and "encrypted" packets?

If that is the case it would seem really wierd because I can't see a reason why the traffic already "encrypted" on the remote end wouldnt arrive to the other end.

Though I had a similiar situation once but it wasnt solved then and it was related to something totally different that you are doing.

Could you perhaps share with us the "show crypto ipsec sa peer x.x.x.x" from both ends of the L2L VPN for us to see the counters?

I would also look into NAT configurations that they are configured correctly.

- Jouni

0 Helpful

CSCO11520436
Level 1
Level 1
In response to Jouni Forss

‎02-03-2013 09:41 AM

Hi JouniForss,

FYI

Branch_VPN#sh cry ipsec sa

interface: FastEthernet0/0

    Crypto map tag: CMAP, local addr 202.191.X.X

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.22.2.128/255.255.255.128/0/0)

   remote ident (addr/mask/prot/port): (10.154.134.32/255.255.255.240/0/0)

   current_peer 203.91.X.X port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 366, #pkts encrypt: 366, #pkts digest: 366

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 4, #recv errors 0

     local crypto endpt.: 202.191.X.X, remote crypto endpt.: 203.91.X.X

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0xF7671ADA(4150729434)

     inbound esp sas:

      spi: 0x70BF1ABE(1891572414)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 3001, flow_id: FPGA:1, crypto map: CMAP

        sa timing: remaining key lifetime (k/sec): (4500951/3013)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xF7671ADA(4150729434)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 3002, flow_id: FPGA:2, crypto map: CMAP

        sa timing: remaining key lifetime (k/sec): (4500947/3013)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Branch_VPN#

HQ-ASA#Show crypto ipsec sa

Crypto map tag: S2S, seq num: 590, local addr: 203.91.X.X

      access-list Branch-S2S extended permit ip 10.154.134.32 255.255.255.240 172.22.2.128 255.255.255.128

      local ident (addr/mask/prot/port): (10.154.134.32/255.255.255.240/0/0)

      remote ident (addr/mask/prot/port): (172.22.2.128/255.255.255.128/0/0)

      current_peer: 202.191.X.X

      #pkts encaps: 66, #pkts encrypt: 66, #pkts digest: 66

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 66, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 203.91.X.X, remote crypto endpt.: 202.191.X.X

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 70BF1ABE

      current inbound spi : F7671ADA

    inbound esp sas:

      spi: 0xF7671ADA (4150729434)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 6025216, crypto-map: S2S

         sa timing: remaining key lifetime (kB/sec): (4374000/3155)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0x70BF1ABE (1891572414)

         transform: esp-3des esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 6025216, crypto-map: S2S

         sa timing: remaining key lifetime (kB/sec): (4373993/3155)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

HQ-ASA#

Karthik S
0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to CSCO11520436

‎02-03-2013 09:50 AM

Does seem really strange.

I would expect that if I can see the L2L VPN coming up and traffic getting encrypted that it would also be visible on the remote end as "decrypted" since its already tunneled traffic.

Have you tried for example watching the ASDM real time logs on the ASA while testing traffic from the Branch site? If the logs would show anything related to this problem.

Usually when the L2L VPN negotiations go through and packets get encrypted/encapsulated you should see something on the remote end even though the connection attempts didnt pass the remote end device completely.

- Jouni

0 Helpful

CSCO11520436
Level 1
Level 1
In response to Jouni Forss

‎02-03-2013 09:55 AM

I have done the debug crypto ipsec with level 200 but not able to see any logs the same at router end also. my ASA version is 8.2.5, router version is also upgraded from 12.4 13f to 12.4 25G still the same issue.

Karthik S
0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to CSCO11520436

‎02-03-2013 11:09 PM

Looks like smth filtering esp traffic between sites. I mean connection gets established, but actual encrypted traffic is dropped somewhere between/

0 Helpful

harshisi_2
Level 1
Level 1

‎02-04-2013 07:21 AM

Hi Kartik,

Can you please ensure that nat traversal is turned on on firewall.

Please issue the following commands on asa(it's on by default on router)

config t

cry isa nat-t

bounce the tunnel once and check if that fixes up the issue.

Regards,

~Harry

0 Helpful

CSCO11520436
Level 1
Level 1
In response to harshisi_2

‎02-04-2013 10:28 AM

nat traversal is already enabled, any suggestion?

Karthik S
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents