Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
253
Views
0
Helpful
2
Replies

Cisco ASA 5505 to Cisco ASA 5510 Tunnel Passing Traffic In One Direction

chezbrgrs
Level 1
Level 1

‎10-05-2014 07:41 AM

I used the ASDM Wizard to create the tunnel on both ends.  The tunnel is established but I can only pass traffic one direction.  See anything that would be causing this issue?

cronus# sho crypto ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 2, local addr: Y.Y.Y.Y

 

      access-list outside_2_cryptomap extended permit ip 192.168.54.0 255.255.255.0 10.78.2.0 255.255.255.0 

      local ident (addr/mask/prot/port): (192.168.54.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.78.2.0/255.255.255.0/0/0)

      current_peer: X.X.X.X

 

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

      #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

 

      local crypto endpt.: Y.Y.Y.Y/0, remote crypto endpt.: X.X.X.X/0

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 3E94F7FD

      current inbound spi : BABF809B

 

    inbound esp sas:

      spi: 0xBABF809B (3133112475)

         transform: esp-3des esp-sha-hmac no compression 

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 98304, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914999/28667)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap: 

          0x00000000 0x0000FFFF

    outbound esp sas:

      spi: 0x3E94F7FD (1049950205)

         transform: esp-3des esp-sha-hmac no compression 

         in use settings ={L2L, Tunnel, PFS Group 1, }

         slot: 0, conn_id: 98304, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914999/28667)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap: 

          0x00000000 0x00000001

 

cronus#

Labels:
0 Helpful
2 Replies 2

Marius Gunnerud
VIP
VIP

‎10-06-2014 12:46 AM

We you be able to post the output of the show crypto ipsec sa command for the remote site as well?  If those two outputs are mirror images of eachother and don't point to a possible issue, then it would help to see the running config of both ASAs.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

chezbrgrs
Level 1
Level 1
In response to Marius Gunnerud

‎10-06-2014 05:03 AM

Thank you, Marius.  I'm all set.  The nat (inside,outside) commands were not correct.

0 Helpful
Customers Also Viewed These Support Documents