10-05-2014 07:41 AM
I used the ASDM Wizard to create the tunnel on both ends. The tunnel is established but I can only pass traffic one direction. See anything that would be causing this issue?
cronus# sho crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 2, local addr: Y.Y.Y.Y
access-list outside_2_cryptomap extended permit ip 192.168.54.0 255.255.255.0 10.78.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.54.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.78.2.0/255.255.255.0/0/0)
current_peer: X.X.X.X
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: Y.Y.Y.Y/0, remote crypto endpt.: X.X.X.X/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 3E94F7FD
current inbound spi : BABF809B
inbound esp sas:
spi: 0xBABF809B (3133112475)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 98304, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/28667)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000FFFF
outbound esp sas:
spi: 0x3E94F7FD (1049950205)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 1, }
slot: 0, conn_id: 98304, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/28667)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
cronus#
10-06-2014 12:46 AM
We you be able to post the output of the show crypto ipsec sa command for the remote site as well? If those two outputs are mirror images of eachother and don't point to a possible issue, then it would help to see the running config of both ASAs.
--
Please remember to select a correct answer and rate helpful posts
10-06-2014 05:03 AM
Thank you, Marius. I'm all set. The nat (inside,outside) commands were not correct.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide