Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
268
Views
0
Helpful
2
Replies

ASA stops encrypting VPN packets for no discernible reason

P_Tone ATG
Level 1
Level 1

‎08-29-2016 09:59 AM

I have a 5525x at HQ with 9.1.5 and a 3845 at a remote site with 15.1(4)M10 IVS

I have had 2 instances now where the 5525 stops encrypting traffic and still just sends it out the outside interface. I can see unroutable replies in the ASA log come back from my WAN router referencing the private IPs at the remote site. Traffic comes from the remote site and is decrypted normally but the ASA shows no more traffic being encrypted going out on the ipsec tunnel. Both sides still show active ipsec tunnels for the appropriate IP ranges. If I clear crypto session on the 3845 everything comes back online normally. I have 4 or 5 identical setups all terminate on the ASA but this is the only one with that issue, what can I do and look for to troubleshoot further?

3845 config

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp peer address 1.1.1.1
set aggressive-mode password ****
set aggressive-mode client-endpoint fqdn rtr.domain.net
description HQ VPN
!
!
crypto ipsec transform-set ASA-IPSEC esp-aes esp-sha-hmac
!
crypto map HQVPN 1 ipsec-isakmp
set peer 1.1.1.1
set security-association lifetime seconds 28800
set transform-set ASA-IPSEC
match address 100

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.7.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.8.0 0.0.1.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.12.0 0.0.3.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.16.0 0.0.15.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.32.0 0.0.31.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.64.0 0.0.63.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.128.0 0.0.127.255

Labels:
0 Helpful
2 Replies 2

pjain2
Cisco Employee
Cisco Employee

‎08-29-2016 06:02 PM

Hi,

During the time of the issue, you need to collect packet captures and packet tracer output:

packet-tracer input <inside interface name> icmp 192.168.8.100 8 0 192.168.10.100 detailed

capture cap interface <inside interface name> match ip host 192.168.8.x host 192.168.10.x

capture asp type asp-all

"show cap cap" will show you if during the time of the issue, the traffic from the internal subnets reach the ASA.

also attach the output of show cap asp

0 Helpful

Pawan Raut
Level 4
Level 4

‎08-30-2016 01:23 AM

Issue is most likely routing or natting,. Kindly check the outing and NAT frst

0 Helpful
Customers Also Viewed These Support Documents