cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
618
Views
15
Helpful
12
Replies

After software upgrade ASA only allows traffic in 1 direction

Orange-Crush
Level 1
Level 1

Recently updated the software on an ASA 5545 from 9.14(1) to 9.14(4)15, I have multiple VPN tunnels running.

After the upgrade the tunnels come up but I am only seeing traffic in 1 direction, I have checked the config against the previous config and all appear to be correct.

 

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
 
The tunnels are stable and I am not seeing any errors in the logs
12 Replies 12

upgrade, can you check the route table is VPN use same egress interface as before or it change ?

it is using the same egress interface

packet-tracer input inside tcp x.x.x.x 12345 y.y.y.y 80 detail 

share output of packet-tracer if you can  

What does appear to be strange is that the tunnel will initialise from one side (remote) but not the local firewall (updated one) , I can see in debug that if I try from the local it gets an authentication failure

username:unknown IKEV2 Negotiation Aborted due to ERROR: Auth exchange failed

if I try from the remote side the tunnel comes up, I have checked the pre-shared keys and they are the same.

then only clear crypto isakmp and crypto ipsec and check again 

This made no difference

I have a call with TAC today

ASA# show asp table vpn-context detail
ASA# SHOW CRYPTO IPSEC SA PEER x.x.x.x

 do show both above command see if the SPI for this Peer is same or not, 

The inbound and the outbound SPI do match

#recv errors: xxxx

 do you see recv errors  when do 

show crypto ipsec sa 

The fault was found to be an incorrect route, on the older version of 9.14(1) this route was ignored, when the upgrade was done to 9.14(4)15 the incorrect route was used.

This was reproducible by dropping back to the old version it started passing traffic, when we applied the new version it failed, removed the route and traffic was being passed.

Yes as I mention in my first comment check the egress interface. 
I am so glad your issue solved.
great Job friend.

Bryson F
Level 1
Level 1

What are the different distant ends your trying to reach via tunnel? 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: