10-31-2022 07:56 AM
Recently updated the software on an ASA 5545 from 9.14(1) to 9.14(4)15, I have multiple VPN tunnels running.
After the upgrade the tunnels come up but I am only seeing traffic in 1 direction, I have checked the config against the previous config and all appear to be correct.
10-31-2022 08:01 AM
upgrade, can you check the route table is VPN use same egress interface as before or it change ?
10-31-2022 11:52 PM
it is using the same egress interface
11-01-2022 03:42 AM
packet-tracer input inside tcp x.x.x.x 12345 y.y.y.y 80 detail
share output of packet-tracer if you can
11-01-2022 04:17 AM
What does appear to be strange is that the tunnel will initialise from one side (remote) but not the local firewall (updated one) , I can see in debug that if I try from the local it gets an authentication failure
username:unknown IKEV2 Negotiation Aborted due to ERROR: Auth exchange failed
if I try from the remote side the tunnel comes up, I have checked the pre-shared keys and they are the same.
11-01-2022 04:35 AM
then only clear crypto isakmp and crypto ipsec and check again
11-02-2022 12:48 AM
This made no difference
I have a call with TAC today
11-02-2022 01:17 AM
ASA# show asp table vpn-context detail
ASA# SHOW CRYPTO IPSEC SA PEER x.x.x.x
do show both above command see if the SPI for this Peer is same or not,
11-02-2022 01:44 AM
The inbound and the outbound SPI do match
11-02-2022 01:53 AM
#recv errors: xxxx
do you see recv errors when do
show crypto ipsec sa
11-02-2022 11:56 PM
The fault was found to be an incorrect route, on the older version of 9.14(1) this route was ignored, when the upgrade was done to 9.14(4)15 the incorrect route was used.
This was reproducible by dropping back to the old version it started passing traffic, when we applied the new version it failed, removed the route and traffic was being passed.
11-03-2022 12:13 AM
Yes as I mention in my first comment check the egress interface.
I am so glad your issue solved.
great Job friend.
10-31-2022 10:59 AM
What are the different distant ends your trying to reach via tunnel?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: