cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
803
Views
0
Helpful
4
Replies

VPN Tunnel is not coming UP. No Phase 2. No TX RX

subrun.jamil
Level 1
Level 1

Hello All,

 

I am having issue to bring UP one VPN tunnel. Following are my observations.

 

-----VPN Tunnel is not coming UP. I see no TX & RX from ASDM and no sa for " sh crypto ipsac sa peer "

 

--- And there is no TX , RX when I see the VPN Status from ASDM 


----- If I do the packet-tracer it shows VNP Drop

 

HOST# packet-tracer input inside tcp 10.7.61.79 12345 10.50.1.23 tcp 10.7.61.79 12345 10.50.1.23 5450

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 142.XX.XX.XX using egress ifc Outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static PI-Server PI-Server no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Outside
Untranslate 10.50.1.23/5450 to 10.50.1.23/5450

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
Additional Information:

 

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
description HTTP_Exempt_from_Inspection
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) source static DM_INLINE_NETWORK_16 DM_INLINE_NETWORK_16 destination static PI-Server PI-Server no-proxy-arp route-lookup
Additional Information:
Static translate 10.7.61.79/12345 to 10.7.61.79/12345

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
HOST# exit

 

----When Looked at VPN Firewall see that return packet is SYN TimeOut. Screenshot attached. File name :: ASDM_Realtime_1

 

---- But remote team checked but they are not receiving any packet. File name :: Remote_End

4 Replies 4

subrun.jamil
Level 1
Level 1

Added the attachment

Your tunnel is up and you have an SA, if there was no phase 2 that line wouldn't be there.  With no tx/rx counters this looks like a routing problem. 

mkazam001
Level 3
Level 3

also note that you have to run packet tracer twice for VPNs, it never works the first time.

regards

mk

David Castro F.
Spotlight
Spotlight

Hello Subrun Jamil,

 

Could you provide your running config and the other side?, this can be really many things, whether the other side does not have a an identity NAT, ACLs access group, ISP blocking IP ESP packets, VPN Filter and so on. So to get a clear picture the configs, you can remove the IPs from it obviously and replace them with others.

Also:

show crypto ikev1 sa

show crypto ipsec sa

 show run all sysopt

Keep us posted, please rate the helpful posts!

 

Thanks,

 

David Castro,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: