02-23-2016 11:45 AM
I have 2 new ASA 5505s 8.2(5) that I have an established VPN tunnel however there is no traffic passing over it. Cant figure out why...
ASA 1
show isa sa
ASA1# show isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
CandysScottASA#
show ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 2.2.2.2
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (MurfreesboroLAN/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4531, #pkts decrypt: 4531, #pkts verify: 4531
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7BED8968
current inbound spi : 7F92FF17
inbound esp sas:
spi: 0x7F92FF17 (2140339991)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 126976, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373531/13816)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x7BED8968 (2079164776)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 126976, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/13816)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA 2
show isa sa
ASA2# show isa sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
show ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (ScottsvilleLAN/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 4552, #pkts encrypt: 4552, #pkts digest: 4552
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4552, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7F92FF17
current inbound spi : 7BED8968
inbound esp sas:
spi: 0x7BED8968 (2079164776)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 126976, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/13749)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x7F92FF17 (2140339991)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 126976, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914529/13749)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA1 shows decaps with no encaps, ASA2 shows encaps with no decaps.
sysopt connection permit-vpn has been issued on both units.
Any ideas on why this is happening?
02-25-2016 12:36 PM
Check routing and nat config on the ASA1
encap 0 means this ASA is having issue in encrypting the packets (so either nat exempt is not present on the ASA or routing is incorrect)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4531, #pkts decrypt: 4531, #pkts verify: 4531
nat (inside) 0 access-list nat_exemption access-list nat_exemption extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0
please share the config for analysis.....
#Rohan
02-29-2016 12:55 PM
02-29-2016 11:56 PM
Hi,
Here is a quick test to check whether the ASA2 device (IP-2.2.2.2) is able to encrypt the packet or not.
On the ASA2 make the inside interface as "management-access inside".
Now from any device behind ASA1 try pinging the ASA2 inside IP (192.168.2.1).
If you get the replies then good.
If you do not then turn on debug
Do you see any request/reply in the
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2
pre-shared-key *****
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 96.82.236.65
May I know the reason for using this IP, not sure if
Regards,
Aditya
03-01-2016 01:19 AM
Hello
i suppose this is a test setup
how are you initiating the traffic from the local lan at 192.168.1.0/24 network do you have a test pc which is initiating the traffic to the remote local network ????
from the config all looks good to me only prob is that its not encryption the packets
please ping using the management interface as Aditya suggested
Eg:
interface Vlan1
management-access inside
ping inside 192.168.2.1 repeat 100
use below acl to test the nonat
access-list nonat permit 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nonat
03-16-2016 08:37 AM
I tried my ping from the management interface, still no love. I found some info on Cisco website about some buggy behavior on 8.2(5), I have upgraded both units to 8.4(7), same story. I am going on site to try to generate some traffic from devices on the inside network(s) to see what happens. Not sure why this is being so problematic. I have set these up many times in the past via the L2L VPN wizard in ASDM and it always just works, up until now.
03-17-2016 01:03 PM
It appears that my L2L VPN config was good all along, I just didnt know it. I went on site yesterday, both locations are quite a drive and tested traffic on actual hosts on each inside network. The tunnel passed traffic as expected. I just got faked into thinking that it wasnt working as I could not get ASA inside to ASA inside traffic to go across the tunnel despite the management-access inside being applied to both ASAs.
03-01-2016 05:50 AM
03-01-2016 06:04 AM
Hi,
Thanks for the info.
Please check the action plan and test.
Regards,
Aditya
Please rate helpful posts.
02-29-2016 08:01 PM
Hello,
On ASA1 you can set a
capture capin interface inside 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
send traffic then do a show capture capin
make sure that you see packets back and forward
also run a packet tracer:
packet tracer input inside icmp 192.168.1.5 8 0 192.168.2.5 de
check the VPN phase if is allow then the VPN tunnel is fine
please make sure you ping an internal host dont ping the interface itself if you do so please enable management access to the interfaces with the command:
management-access inside
So that the interface can replay to the pings
If this still dont resolve the issue you will probably need to reload ASA1 there could be a duplicate spi stuck that is not letting the traffic be encrypted
Regards, please rate!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide