cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
748
Views
0
Helpful
3
Replies

Site-to-Site VPN Router-ASA : Router is not encapsulating the packet

Binoy
Level 1
Level 1

I configured site to site VPN between Cisco IOSv router and Cisco ASAv. When I am initiating the traffic from ASA end the tunnel comes up but the ping from the interesting traffic is not working as the router is not encapsulating the traffic. When I initiate traffic from router end the tunnel is not coming up.

I ran debug commands but no output. No ACL hit. I am attaching the configurations. Kindly help me to fix the issue.

 

R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
136.1.13.1 136.1.37.7 QM_IDLE 1003 ACTIVE

IPv6 Crypto ISAKMP SA

R1#show crypt ipsec sa

interface: GigabitEthernet0/0
Crypto map tag: INSIDE_MAP, local addr 136.1.13.1

protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (136.1.47.0/255.255.255.0/0/0)
current_peer 136.1.37.7 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 136.1.13.1, remote crypto endpt.: 136.1.37.7
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x746CAC2E(1953279022)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xFA8C9744(4203517764)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, sibling_flags 80000040, crypto map: INSIDE_MAP
sa timing: remaining key lifetime (k/sec): (4161373/3579)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x746CAC2E(1953279022)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: SW:6, sibling_flags 80000040, crypto map: INSIDE_MAP
sa timing: remaining key lifetime (k/sec): (4161373/3579)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
R1#

3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

Hi

 

There are some errors.

On asa, crypto acl is using outside subnet where normally you must have inside subnet; there's no Nat exemption configured.

 

On your router, peer ip is your asa inside instead of outside. Acl is the same comment as my previous one on asa.

 

Take a look on this documentation guide:

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/119425-configure-ipsec-00.html

 

If you still have issues adapting it in your environment, let me know and I'll do the config.

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Yes. I know it is configured as inside. However, that should not make any problem. This is a test environment.The network is as below.

 

Destination/source (outside) -ASA3 (inside)-R3-R1-Source/Destination

 

There is no NAT configuration on any devices. I just configured as inside interface. The peer IP address is correct as that is the interface where VPN is terminated.

 

 

Ok I understand. But if you're trying to build up a vpn from inside interface why are you configuring subnet 136.1.47.0/24 in the crypto acl on both side?

I understood that VPN will be built over inside LAN interface. What's the goal you want to achieve? do you want each site reaching LAN's each others? If so your crypto ACL needs to define the right traffic you want to protect, this means you should have inside subnet on each side and not outside subnet

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: