02-03-2013 09:16 AM
Hi,
I have issue with ipsec vpn between Cisco 1841 & Cisco asa5500, packets are getting encrypt on both end but both end the decrypt count is 0, kindly let me know what could be the possible reasons for this issue.
02-03-2013 09:24 AM
Hi,
Are you saying that on the end that start creating traffic to the remote end you can see "encrypted" packets AND on the remote end you can see both "decrypted" and "encrypted" packets?
If that is the case it would seem really wierd because I can't see a reason why the traffic already "encrypted" on the remote end wouldnt arrive to the other end.
Though I had a similiar situation once but it wasnt solved then and it was related to something totally different that you are doing.
Could you perhaps share with us the "show crypto ipsec sa peer x.x.x.x" from both ends of the L2L VPN for us to see the counters?
I would also look into NAT configurations that they are configured correctly.
- Jouni
02-03-2013 09:41 AM
Hi JouniForss,
FYI
Branch_VPN#sh cry ipsec sa
interface: FastEthernet0/0
Crypto map tag: CMAP, local addr 202.191.X.X
protected vrf: (none)
local ident (addr/mask/prot/port): (172.22.2.128/255.255.255.128/0/0)
remote ident (addr/mask/prot/port): (10.154.134.32/255.255.255.240/0/0)
current_peer 203.91.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 366, #pkts encrypt: 366, #pkts digest: 366
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 4, #recv errors 0
local crypto endpt.: 202.191.X.X, remote crypto endpt.: 203.91.X.X
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xF7671ADA(4150729434)
inbound esp sas:
spi: 0x70BF1ABE(1891572414)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3001, flow_id: FPGA:1, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4500951/3013)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF7671ADA(4150729434)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 3002, flow_id: FPGA:2, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4500947/3013)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
Branch_VPN#
HQ-ASA#Show crypto ipsec sa
Crypto map tag: S2S, seq num: 590, local addr: 203.91.X.X
access-list Branch-S2S extended permit ip 10.154.134.32 255.255.255.240 172.22.2.128 255.255.255.128
local ident (addr/mask/prot/port): (10.154.134.32/255.255.255.240/0/0)
remote ident (addr/mask/prot/port): (172.22.2.128/255.255.255.128/0/0)
current_peer: 202.191.X.X
#pkts encaps: 66, #pkts encrypt: 66, #pkts digest: 66
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 66, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 203.91.X.X, remote crypto endpt.: 202.191.X.X
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 70BF1ABE
current inbound spi : F7671ADA
inbound esp sas:
spi: 0xF7671ADA (4150729434)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 6025216, crypto-map: S2S
sa timing: remaining key lifetime (kB/sec): (4374000/3155)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x70BF1ABE (1891572414)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 6025216, crypto-map: S2S
sa timing: remaining key lifetime (kB/sec): (4373993/3155)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
HQ-ASA#
02-03-2013 09:50 AM
Does seem really strange.
I would expect that if I can see the L2L VPN coming up and traffic getting encrypted that it would also be visible on the remote end as "decrypted" since its already tunneled traffic.
Have you tried for example watching the ASDM real time logs on the ASA while testing traffic from the Branch site? If the logs would show anything related to this problem.
Usually when the L2L VPN negotiations go through and packets get encrypted/encapsulated you should see something on the remote end even though the connection attempts didnt pass the remote end device completely.
- Jouni
02-03-2013 09:55 AM
I have done the debug crypto ipsec with level 200 but not able to see any logs the same at router end also. my ASA version is 8.2.5, router version is also upgraded from 12.4 13f to 12.4 25G still the same issue.
02-03-2013 11:09 PM
Looks like smth filtering esp traffic between sites. I mean connection gets established, but actual encrypted traffic is dropped somewhere between/
02-04-2013 07:21 AM
Hi Kartik,
Can you please ensure that nat traversal is turned on on firewall.
Please issue the following commands on asa(it's on by default on router)
config t
cry isa nat-t
bounce the tunnel once and check if that fixes up the issue.
Regards,
~Harry
02-04-2013 10:28 AM
nat traversal is already enabled, any suggestion?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide