cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Webcast -VXLAN BGP EVPNt
181
Views
0
Helpful
4
Replies
Highlighted
Beginner

VPN Tunnel is not coming UP. No Phase 2. No TX RX

Hello All,

 

I am having issue to bring UP one VPN tunnel. Following are my observations.

 

-----VPN Tunnel is not coming UP. I see no TX & RX from ASDM and no sa for " sh crypto ipsac sa peer "

 

--- And there is no TX , RX when I see the VPN Status from ASDM 


----- If I do the packet-tracer it shows VNP Drop

 

HOST# packet-tracer input inside tcp 10.7.61.79 12345 10.50.1.23 tcp 10.7.61.79 12345 10.50.1.23 5450

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 142.XX.XX.XX using egress ifc Outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static PI-Server PI-Server no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Outside
Untranslate 10.50.1.23/5450 to 10.50.1.23/5450

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
Additional Information:

 

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
description HTTP_Exempt_from_Inspection
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static PI-Server PI-Server no-proxy-arp route-lookup
Additional Information:
Static translate 10.7.61.79/12345 to 10.7.61.79/12345

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
HOST# exit

 

----When Looked at VPN Firewall see that return packet is SYN TimeOut. Screenshot attached. File name :: ASDM_Realtime_1

 

---- But remote team checked but they are not receiving any packet. File name :: Remote_End

Everyone's tags (1)
4 REPLIES 4
Beginner

Re: VPN Tunnel is not coming UP. No Phase 2. No TX RX

Added the attachment

Re: VPN Tunnel is not coming UP. No Phase 2. No TX RX

Your tunnel is up and you have an SA, if there was no phase 2 that line wouldn't be there.  With no tx/rx counters this looks like a routing problem. 

Participant

Re: VPN Tunnel is not coming UP. No Phase 2. No TX RX

also note that you have to run packet tracer twice for VPNs, it never works the first time.

regards

mk

Participant

Re: VPN Tunnel is not coming UP. No Phase 2. No TX RX

Hello Subrun Jamil,

 

Could you provide your running config and the other side?, this can be really many things, whether the other side does not have a an identity NAT, ACLs access group, ISP blocking IP ESP packets, VPN Filter and so on. So to get a clear picture the configs, you can remove the IPs from it obviously and replace them with others.

Also:

show crypto ikev1 sa

show crypto ipsec sa

 show run all sysopt

Keep us posted, please rate the helpful posts!

 

Thanks,

 

David Castro,

CreatePlease to create content
Content for Community-Ad

Ask the Expert French- routing protocols