05-20-2018 09:58 PM - edited 03-12-2019 05:18 AM
I configured site to site VPN between Cisco IOSv router and Cisco ASAv. When I am initiating the traffic from ASA end the tunnel comes up but the ping from the interesting traffic is not working as the router is not encapsulating the traffic. When I initiate traffic from router end the tunnel is not coming up.
I ran debug commands but no output. No ACL hit. I am attaching the configurations. Kindly help me to fix the issue.
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
136.1.13.1 136.1.37.7 QM_IDLE 1003 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypt ipsec sa
interface: GigabitEthernet0/0
Crypto map tag: INSIDE_MAP, local addr 136.1.13.1
protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (136.1.47.0/255.255.255.0/0/0)
current_peer 136.1.37.7 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 136.1.13.1, remote crypto endpt.: 136.1.37.7
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x746CAC2E(1953279022)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xFA8C9744(4203517764)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5, flow_id: SW:5, sibling_flags 80000040, crypto map: INSIDE_MAP
sa timing: remaining key lifetime (k/sec): (4161373/3579)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x746CAC2E(1953279022)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6, flow_id: SW:6, sibling_flags 80000040, crypto map: INSIDE_MAP
sa timing: remaining key lifetime (k/sec): (4161373/3579)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R1#
05-20-2018 10:22 PM
Hi
There are some errors.
On asa, crypto acl is using outside subnet where normally you must have inside subnet; there's no Nat exemption configured.
On your router, peer ip is your asa inside instead of outside. Acl is the same comment as my previous one on asa.
Take a look on this documentation guide:
If you still have issues adapting it in your environment, let me know and I'll do the config.
05-20-2018 10:33 PM - edited 05-21-2018 12:33 PM
Yes. I know it is configured as inside. However, that should not make any problem. This is a test environment.The network is as below.
Destination/source (outside) -ASA3 (inside)-R3-R1-Source/Destination
There is no NAT configuration on any devices. I just configured as inside interface. The peer IP address is correct as that is the interface where VPN is terminated.
05-21-2018 05:14 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: