Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
902
Views
5
Helpful
8
Replies

ASA deencaps but no encaps packet, Site-to-Site VPN Router->ASA

Go to solution
mirza.dzafic1
Level 1
Level 1

‎02-11-2022 01:34 AM

Hello everyone,

 

We have IPSec site-to-site VPN between Cisco router and Cisco ASA. ASA have static ip, and router have dynamic public IP. When i run show crypto ipsec sa i see that packets on ASA is deencapsulated, but not encapsulated when going back. 

 

Does anyone know any solution for this problem?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to mirza.dzafic1

‎02-11-2022 02:09 AM

@mirza.dzafic1 not enough information. The VPN filter is configured under the group policy (which is associated to the tunnel group), using the command syntax "vpn-filter value XXXXX" <<< look for this command in your configuration. Remove it or amend the associated ACL to permit the traffic.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎02-11-2022 01:38 AM

@mirza.dzafic1 possibly a NAT issue, do you have a NAT exemption rule between the local and remote VPN networks to ensure traffic is not unintentially translated?

 

Example:

object network LOCAL
 subnet 20.1.1.0 255.255.255.0
object network REMOTE
 subnet 10.1.1.0 255.255.255.0
!
nat (INSIDE,OUTSIDE) source static LOCAL LOCAL destination static REMOTE REMOTE 

 

0 Helpful

Go to solution
mirza.dzafic1
Level 1
Level 1
In response to Rob Ingram

‎02-11-2022 01:40 AM

Hello @Rob Ingram 

 

Yes i have NAT exemption rule between ASA local network and Cisco router local network.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mirza.dzafic1

‎02-11-2022 01:42 AM

@mirza.dzafic1 ok, from the ASA run packet-tracer from the CLI to simulate the traffic flow - provide the output for review.

 

Provide the output of "show nat detail".

0 Helpful

Go to solution
mirza.dzafic1
Level 1
Level 1
In response to Rob Ingram

‎02-11-2022 01:53 AM - edited ‎02-11-2022 05:52 AM

@Rob Ingram  i attached requested file. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mirza.dzafic1

‎02-11-2022 01:56 AM

@mirza.dzafic1 have you got a VPN Filter configured?

 

Phase: 10
Type: ACCESS-LIST
Subtype: filter-aaa
Result: DROP

 

Provide your configuration if unsure.

Go to solution
mirza.dzafic1
Level 1
Level 1
In response to Rob Ingram

‎02-11-2022 02:03 AM

@Rob Ingram 

i am not sure about vpn filer, but i didnt configure it. i attached the configuration for vpn on cisco asa side 

Preview file
1 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mirza.dzafic1

‎02-11-2022 02:09 AM

@mirza.dzafic1 not enough information. The VPN filter is configured under the group policy (which is associated to the tunnel group), using the command syntax "vpn-filter value XXXXX" <<< look for this command in your configuration. Remove it or amend the associated ACL to permit the traffic.

0 Helpful

Go to solution
mirza.dzafic1
Level 1
Level 1
In response to Rob Ingram

‎02-11-2022 02:30 AM

@Rob Ingram 

Hi Rob. Thanks for detailed instruction. tunnel-group DefaultL2LGroup had a group policy, and in that group policy was vpn filter.I removed vpn-filter and it seems now it is everything ok.

 

Thank you very much.

0 Helpful
Customers Also Viewed These Support Documents