Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
308
Views
0
Helpful
2
Replies

ASA Partial Encryption of the ACE

arumugasamy
Level 1
Level 1

‎10-25-2009 03:42 AM

The actual problem is that the tunnel traffic between local and remote side is encrypted and de-crypted for only one host. The other host traffic is not encrypted and de-crypted.

The Crypto ACL is as below

access-list vpn-list permit ip host 192.168.1.1 host 10.10.10.1

access-list vpn-list permit ip host 192.168.1.2 host 10.10.10.1.

When the host traffic 192.168.1.1 is encrypted then other host 192.168.1.2 is not encrypted and there was no ACL kit count increase.

What could be the issue.

We tried with deleting whole VPN configuration and reapply it with the result is as before.

Show crypto ipsec sa shows that both are under tunnel but the when one host encrypted another not encrypted.

ping to remote 10.10.10.1 host from 192.168.1.1 ok but from 192.168.1.2 failed. After some time 192.168.1.2 can ping remote not by 192.168.1.1

Thanks

swami

Labels:
0 Helpful
2 Replies 2

mj11
Level 3
Level 3

‎10-25-2009 12:20 PM

Hi swami

Are you able to check the No NAT statements.

Regards MJ

0 Helpful

Patrick0711
Level 3
Level 3

‎10-25-2009 11:43 PM

Check your NAT exempt access-list and ensure that the remote host has the same set of hots specified in it's crypto access-list.

The output of 'debug crypto isakmp 254' when initiating or receiving traffic would also be helpful.

0 Helpful
Customers Also Viewed These Support Documents