01-07-2011 09:10 AM
Hi,
We have a remote client that has a CISCO router that we establish a VPN (LAN to LAN) from our Cisco ASA5510 firewall.We are the initiator of the VPN tunnel. Our users connect to servers at remote side for which we have access-lists defined. Lately we have been having issues that the tunnel will be up ,however our users are not able to connect to the servers at the remote end. When I ran the show crypto commands, the following is what I see
Local end : MM_ACTIVE
Remote end : QM_IDLE (This is not controlled by us, but the remote party sees this state at the router)
When I try to generate interesting traffic, the count of encryted and encapsulate packet goes up. The decaps and decypted packets does not go up and also has a mismatch in count and we get "Recv errors" as follows
#pkts encaps: 2210, #pkts encrypt: 2210, #pkts digest: 2210
#pkts decaps: 1678, #pkts decrypt: 1638, #pkts verify: 1638
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2210, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 40
When I try to run clear isakmp the LAN to LAN VPN tunnel gets cleared, the tunnel comes back up , however the issue still remains. There is a mismatch in the decaps and decrypts with recv errors.However when we call the remote user to reset the tunnel, it fixes the issue. The tunnel comes up, and received error count goes to 0. Can someone help me out with issue? There are times that the tunnel will be up for a day or so without this issue.
Solved! Go to Solution.
01-07-2011 09:22 AM
Hi,
One thing could be that the interesting traffic is not mirrored on both ends and that can cause strange behavior.
You should make sure the ACLs match on both ends.
Another thing is that if an SA is cleared only on one end, might not be cleared on the other end until the lifetime for that SA expires.
You can enable Cisco Dead Peer Detection (DPD) on both sides to allow the devices to monitor the health of the SAs.
Federico.
01-07-2011 09:22 AM
Hi,
One thing could be that the interesting traffic is not mirrored on both ends and that can cause strange behavior.
You should make sure the ACLs match on both ends.
Another thing is that if an SA is cleared only on one end, might not be cleared on the other end until the lifetime for that SA expires.
You can enable Cisco Dead Peer Detection (DPD) on both sides to allow the devices to monitor the health of the SAs.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide