11-05-2018 09:59 AM
Hello All,
I am having issue to bring UP one VPN tunnel. Following are my observations.
-----VPN Tunnel is not coming UP. I see no TX & RX from ASDM and no sa for " sh crypto ipsac sa peer "
--- And there is no TX , RX when I see the VPN Status from ASDM
----- If I do the packet-tracer it shows VNP Drop
HOST# packet-tracer input inside tcp 10.7.61.79 12345 10.50.1.23 tcp 10.7.61.79 12345 10.50.1.23 5450
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 142.XX.XX.XX using egress ifc Outside
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static PI-Server PI-Server no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Outside
Untranslate 10.50.1.23/5450 to 10.50.1.23/5450
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
description HTTP_Exempt_from_Inspection
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static PI-Server PI-Server no-proxy-arp route-lookup
Additional Information:
Static translate 10.7.61.79/12345 to 10.7.61.79/12345
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
HOST# exit
----When Looked at VPN Firewall see that return packet is SYN TimeOut. Screenshot attached. File name :: ASDM_Realtime_1
---- But remote team checked but they are not receiving any packet. File name :: Remote_End
11-05-2018 10:01 AM
11-05-2018 10:35 AM
Your tunnel is up and you have an SA, if there was no phase 2 that line wouldn't be there. With no tx/rx counters this looks like a routing problem.
11-05-2018 10:56 AM - edited 11-05-2018 10:56 AM
also note that you have to run packet tracer twice for VPNs, it never works the first time.
regards
mk
11-06-2018 11:34 AM - edited 11-06-2018 11:35 AM
Hello Subrun Jamil,
Could you provide your running config and the other side?, this can be really many things, whether the other side does not have a an identity NAT, ACLs access group, ISP blocking IP ESP packets, VPN Filter and so on. So to get a clear picture the configs, you can remove the IPs from it obviously and replace them with others.
Also:
show crypto ikev1 sa
show crypto ipsec sa
show run all sysopt
Keep us posted, please rate the helpful posts!
Thanks,
David Castro,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: