Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
608
Views
0
Helpful
5
Replies

ASA to AWS vpn tunnel shows encrypt/encaps but no return traffic

jroy777
Level 1
Level 1

‎03-13-2023 11:02 AM

Hello,

We have tunnels up on two different ASA's to Amazon AWS. The "inside" on both ASA's are unique subnets but the the subnet(s) on the AWS side are the same encryption domain for both tunnels. The tunnel peers are unique addresses on the AWS side but the subnets are shared within the AWS cloud

I can see the traffic being encrypted and encapsulated for one tunnel from ASA to AWS but never any return traffic being retuned for other tunnel on other ASA to AWS. The AWS side says all is Good. I think it is a routing issue. Anyone offer some suggestions or ideas?

Working:
ASA Encryption domain ("inside"): 192.168.50.0/23
AWS Encryption domain 10.24.0.0/13

1 IKE Peer: x.x.173.246
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

current_peer: x.x.173.246

#pkts encaps: 199184, #pkts encrypt: 199184, #pkts digest: 199184
#pkts decaps: 193726, #pkts decrypt: 193726, #pkts verify: 193726
#pkts compressed: 0, #pkts decompressed: 0

Not working:
ASA Encryption domain ("inside"): 172.30.30.0/23
AWS Encryption domain 10.24.0.0/13

2 IKE Peer: x.x.179.100
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Crypto map tag: outside-CX_map, seq num: 5, local addr: x.x.14.253

current_peer: x.x.179.100

#pkts encaps: 65089, #pkts encrypt: 65089, #pkts digest: 65089
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0

Labels:
0 Helpful
5 Replies 5

MHM Cisco World
VIP
VIP

‎03-13-2023 11:15 AM

use VTI instead of policy l2l vpn.

0 Helpful

Rob Ingram
VIP
VIP

‎03-13-2023 11:45 AM

@jroy777 as there is no decrypted traffic on the second ASA, that seems to indicate a routing issue on the AWS side not sending traffic over the VPN or traffic is unintentially translated (nat)

Check the routing and nat from the AWS side?

 

0 Helpful

jroy777
Level 1
Level 1

‎03-13-2023 11:48 AM

A: The AWS VPN service is a route-based solution, so when using a route-based configuration you will not run into SA limitations. If, however, you are using a policy-based solution you will need to limit to a single SA, as the service is a route-based solution.

0 Helpful

Rob Ingram
VIP
VIP
In response to jroy777

‎03-13-2023 11:54 AM - edited ‎03-13-2023 12:03 PM

@jroy777 yes that's correct, but you've got two physical ASA's, so therefore you have unique SAs established on different ASAs. This limitation would apply per peer.

0 Helpful
Customers Also Viewed These Support Documents