Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14834
Views
0
Helpful
1
Replies

ASA VPN MM_ACTIVE but no connection

Go to solution
abhishek.1024
Level 1
Level 1

‎01-07-2011 09:10 AM

Hi,

We have a remote client that has a CISCO router that we establish a VPN (LAN to LAN) from our Cisco ASA5510 firewall.We are the initiator of the VPN tunnel. Our users connect to servers at remote side for which we have access-lists defined. Lately we have been having issues that the tunnel will be up ,however our users are not able to connect to the servers at the remote end. When I ran the show crypto commands, the following is what I see

Local end : MM_ACTIVE

Remote end : QM_IDLE (This is not controlled by us, but the remote party sees this state at the router)

When I try to generate interesting traffic, the count of encryted and encapsulate packet goes up. The decaps and decypted packets  does not go up and also has a mismatch in count and we get "Recv errors" as follows


#pkts encaps: 2210, #pkts encrypt: 2210, #pkts digest: 2210
      #pkts decaps: 1678, #pkts decrypt: 1638, #pkts verify: 1638
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2210, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 40

When I try to run clear isakmp the LAN to LAN VPN tunnel gets cleared, the tunnel comes back up , however the issue still remains. There is a mismatch in the decaps and decrypts with recv errors.However when we call the remote user to reset the tunnel, it fixes the issue. The tunnel comes up, and received error count goes to 0. Can someone help me out with issue? There are times that the tunnel will be up for a  day or so without this issue.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-07-2011 09:22 AM

Hi,

One thing could be that the interesting traffic is not mirrored on both ends and that can cause strange behavior.

You should make sure the ACLs match on both ends.

Another thing is that if an SA is cleared only on one end, might not be cleared on the other end until the lifetime for that SA expires.

You can enable Cisco Dead Peer Detection (DPD) on both sides to allow the devices to monitor the health of the SAs.

Federico.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎01-07-2011 09:22 AM

Hi,

One thing could be that the interesting traffic is not mirrored on both ends and that can cause strange behavior.

You should make sure the ACLs match on both ends.

Another thing is that if an SA is cleared only on one end, might not be cleared on the other end until the lifetime for that SA expires.

You can enable Cisco Dead Peer Detection (DPD) on both sides to allow the devices to monitor the health of the SAs.

Federico.

0 Helpful
Customers Also Viewed These Support Documents