08-29-2016 09:59 AM
I have a 5525x at HQ with 9.1.5 and a 3845 at a remote site with 15.1(4)M10 IVS
I have had 2 instances now where the 5525 stops encrypting traffic and still just sends it out the outside interface. I can see unroutable replies in the ASA log come back from my WAN router referencing the private IPs at the remote site. Traffic comes from the remote site and is decrypted normally but the ASA shows no more traffic being encrypted going out on the ipsec tunnel. Both sides still show active ipsec tunnels for the appropriate IP ranges. If I clear crypto session on the 3845 everything comes back online normally. I have 4 or 5 identical setups all terminate on the ASA but this is the only one with that issue, what can I do and look for to troubleshoot further?
3845 config
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp peer address 1.1.1.1
set aggressive-mode password ****
set aggressive-mode client-endpoint fqdn rtr.domain.net
description HQ VPN
!
!
crypto ipsec transform-set ASA-IPSEC esp-aes esp-sha-hmac
!
crypto map HQVPN 1 ipsec-isakmp
set peer 1.1.1.1
set security-association lifetime seconds 28800
set transform-set ASA-IPSEC
match address 100
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.7.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.1.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.3.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.16.0 0.0.15.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.32.0 0.0.31.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.64.0 0.0.63.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.128.0 0.0.127.255
08-29-2016 06:02 PM
Hi,
During the time of the issue, you need to collect packet captures and packet tracer output:
packet-tracer input <inside interface name> icmp 192.168.8.100 8 0 192.168.10.100 detailed
capture cap interface <inside interface name> match ip host 192.168.8.x host 192.168.10.x
capture asp type asp-all
"show cap cap" will show you if during the time of the issue, the traffic from the internal subnets reach the ASA.
also attach the output of show cap asp
08-30-2016 01:23 AM
Issue is most likely routing or natting,. Kindly check the outing and NAT frst
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide