Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1226
Views
0
Helpful
5
Replies

ASA VPN not encrypting traffic

Infrastructure Team
Level 1
Level 1

‎06-14-2017 03:40 AM

Hi all, Hope someone can point me to the one bit I've obviously missed.

I've got two replicated VPN's with GRE.  IPSEC from ASA -> K9 remote Router passing GRE tunnel traffic from Core loopback to K9 remote Router loopback.

One connection works fine, the second one is failing to encrypt traffic.

I've checked the crypto and both are the same.

I've checked the ACL's and both are the same.

I've checked the NAT statements and both are the same.

(with the exceptions of the remote IP's)

One connection is encrypting traffic (bsu mobile), the other isn't encrypting outgoing traffic (preston).

Packet captures on the ASA show the packets from loopback interfaces on the inside, but only the not working connection on the outside interface.  Wireshark captures mirroring the ports show EIGRP packets inside for the both connections tunnel interfaces, but only the not working tunnel on the outside of the firewall.

Packet tracer shows the same results for both connections.

Labels:
Preview file
28 KB
Preview file
6 KB
Preview file
32 KB
Preview file
11 KB
0 Helpful
5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-14-2017 05:54 AM

Does the ASA have a route to the remote loopback interface out its outside interface?

0 Helpful

Infrastructure Team
Level 1
Level 1
In response to Philip D'Ath

‎06-14-2017 08:51 AM

It does have a route. 

Latest test, the crypto ACL shows no hits.  If I change the source IP in that ACL to say my PC rather than our GRE router, and make a connection attempt, the ACL is hit, and the packet is encrypted.  Change the ACL back to our core Loopback interface address and it stops encrypting the traffic.

This Loopback interface is used for the working tunnel.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to Infrastructure Team

‎06-14-2017 12:56 PM

You are not using policy routing anywhere, are you?

This sounds like a software bug.  What model ASA are you using and what software version are you running on it?

0 Helpful

Infrastructure Team
Level 1
Level 1
In response to Philip D'Ath

‎06-15-2017 01:44 AM

ASA 5525 on 9.4 (4) 5

However just after 8pm last night the firewall suddenly started sending encrypted packets, after a few hours of being left alone.

Now I just need to figure out why EIGRP isn't associating, despite seeing packets in both directions, and initial eigrp associate on the GRE.

0 Helpful
Customers Also Viewed These Support Documents