Solved: Cisco ASA no Encaps on IPSEC

Skywalker · ‎03-10-2022

Hello Everyone,

So i have struggling with getting IPSEC LAN to LAN connectivity to work but in vain.

Both phases come up but traffic seems to flow in one direction (Incoming), so traffic going out is not encrypted(no encaps to my understanding).

I got this out of production environment and simulated the Lab in GNS3, and i was able to re-produce the same issue.

This the topology:

External_FW-ASA-5515<OSPF>INTERNAL_FW::FGATE<Directly connected>LOCAL SERVERS.

So, during the lab i removed the OSPF bit and had the endpoint connected directly to the ASA, and i was able to have end to end connectivity.

My question is, how come the same routes while learned via OSPF are not being NATed over the IPSEC tunnel.(I would assume this is a NAT issue).

Please note that the same route gets redistributed into OSPF with the internal FW so the ASA knows about it.

Any work around for this?

Thank you.

Rob Ingram · ‎03-12-2022

@Skywalker You've got a VPN Filter configured incorrectly - "When a vpn-filter is applied to a group-policy that governs a L2L VPN connection, the ACL should be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL".

You've got your local network as the source as you are re-using the cryptomap ACL.

access-list outside_cryptomap extended permit ip object SERVER-LOCAL object SERVER-REMOTE

Remove or amend your VPN Filter

group-policy GroupPolicy_10.10.103.2 attributes
 no vpn-filter value outside_cryptomap

View solution in original post

Rob Ingram · ‎03-10-2022

@Skywalker if the tunnel is up with decaps but no encaps, that is usually a routing issue or a missing NAT exemption rule. Without full understanding your environment hard to tell.

Can you run packet-tracer (with OSPF and directly connected) and provide the output for review, that should provide a clue.

Skywalker · ‎03-12-2022

Hi Rob,

Thank you for responding,

Let me share the full details as per the reproduced issue in the LAB, infact, i have even eliminate the 3rd party firewall on the internal firewall and replaced it with the ASA.

It's also important to mention that at some point, i replaced the internal FW with a c7200 (in the lab) and the issue was still there.

TOPOLOGY:

Outputs:

ciscoasa# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 10.10.103.1

access-list outside_cryptomap extended permit ip host 10.10.10.120 192.168.140.0 255.255.255.252
local ident (addr/mask/prot/port): (10.10.10.120/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.140.0/255.255.255.252/0/0)
current_peer: 10.10.103.2

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 756, #pkts decrypt: 756, #pkts verify: 756
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 10.10.103.1/500, remote crypto endpt.: 10.10.103.2/500
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 405AF0EC
current inbound spi : 992B30B0

inbound esp sas:
spi: 0x992B30B0 (2569744560)
SA State: active
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 87564288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4239297/26600)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x405AF0EC (1079701740)
SA State: active
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 87564288, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4101120/26600)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

PC2> ping 10.10.10.120

10.10.10.120 icmp_seq=1 timeout
10.10.10.120 icmp_seq=2 timeout
10.10.10.120 icmp_seq=3 timeout
^C
PC2> trace 10.10.10.120
trace to 10.10.10.120, 8 hops max, press Ctrl+C to stop
1 192.168.140.1 0.695 ms 0.405 ms 0.361 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
^C 7

Also attached is the config for the ASAs, (i am so convinced the issue is on the ASAs network)

Kindly take a look,

Thank you.

Rob Ingram · ‎03-12-2022

@Skywalker You've got a VPN Filter configured incorrectly - "When a vpn-filter is applied to a group-policy that governs a L2L VPN connection, the ACL should be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL".

You've got your local network as the source as you are re-using the cryptomap ACL.

access-list outside_cryptomap extended permit ip object SERVER-LOCAL object SERVER-REMOTE

Remove or amend your VPN Filter

group-policy GroupPolicy_10.10.103.2 attributes
 no vpn-filter value outside_cryptomap

Skywalker · ‎05-06-2022

Hello All,

Sorry, it has been a while with no update,

Managed to get it it working. Seems the actual issue was routing.

Below is the full ASA config and out put.

Also attached is the topology for the LAB.

WAN-B-ASA# sh running-config
: Saved

:
: Serial Number: 9AV2ACN3G8L
: Hardware: ASAv, 2048 MB RAM, CPU Pentium II 2496 MHz
:
ASA Version 9.8(3)
!
hostname WAN-B-ASA
enable password $sha512$5000$WKhuosXgRfU5EL7FKTuwHA==$b+NPvUhli11C8XLQzA/IYQ== pbkdf2
names
no mac-address auto

!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
nameif TO-INT-FW
security-level 100
ip address 172.16.200.1 255.255.255.248
!
interface GigabitEthernet0/3
nameif WAN
security-level 0
ip address 10.101.1.2 255.255.255.252
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif mgt
security-level 0
ip address dhcp
!
ftp mode passive
object network INTERNAL-LAN-NET
subnet 192.168.210.0 255.255.255.0
object network REMOTE-LAN-NET
subnet 192.168.220.0 255.255.255.0
access-list WAN_cryptomap extended permit ip object INTERNAL-LAN-NET object REMOTE-LAN-NET
pager lines 23
mtu TO-INT-FW 1500
mtu WAN 1500
mtu mgt 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
nat (TO-INT-FW,WAN) source static INTERNAL-LAN-NET INTERNAL-LAN-NET destination static REMOTE-LAN-NET REMOTE-LAN-NET no-proxy-arp route-lookup
router ospf 1
router-id 172.16.200.1
network 172.16.200.0 255.255.255.248 area 0
area 0
log-adj-changes
default-information originate metric 1
!
route WAN 0.0.0.0 0.0.0.0 10.101.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 mgt
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map WAN_map 1 match address WAN_cryptomap
crypto map WAN_map 1 set peer 10.101.1.1
crypto map WAN_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map WAN_map interface WAN
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 513fb9743870b73440418d30930699ff
30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30
0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30
09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f
72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275
7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c
61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230
0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca
1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b
037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203
7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c
ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee
b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a
6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26
4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a
16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100
01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006
03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e
636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630
2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474
703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60
86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f
7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230
1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 61302906
03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e 74656350
4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a
b2f57af4 4318ef30 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3
4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 82010100 5e945649
dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722
2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16
2a8f3fc5 a6d6a393 7d43e974 21913528 f463e92e edf7f55c 7f4b9ab5 20e90abd
e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382
e6a8c57e fed008e2 25580871 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d
4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de
30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41
a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable WAN
crypto ikev1 enable WAN
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy GroupPolicy_10.101.1.1 internal
group-policy GroupPolicy_10.101.1.1 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
username cisco password $sha512$5000$fbH/01nbdrCVNxSQwAZ6og==$CJB5w8hnG60QudEr9J0TTg== pbkdf2
tunnel-group 10.101.1.1 type ipsec-l2l
tunnel-group 10.101.1.1 general-attributes
default-group-policy GroupPolicy_10.101.1.1
tunnel-group 10.101.1.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http http://10.22.183.117:8080/ddce/services/DDCEService
destination transport-method http
Cryptochecksum:abdbd859e429f8b94da5afba4b1bae39
: end
WAN-B-ASA# $
WAN-B-ASA#
WAN-B-ASA# sho
WAN-B-ASA# show cry
WAN-B-ASA# show crypto ip
WAN-B-ASA# show crypto ipsec sa
WAN-B-ASA# show crypto ipsec sa
interface: WAN
Crypto map tag: WAN_map, seq num: 1, local addr: 10.101.1.2

access-list WAN_cryptomap extended permit ip 192.168.210.0 255.255.255.0 192.168.220.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.210.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.220.0/255.255.255.0/0/0)
current_peer: 10.101.1.1

#pkts encaps: 2647, #pkts encrypt: 2647, #pkts digest: 2647
#pkts decaps: 4034, #pkts decrypt: 4034, #pkts verify: 4034
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2647, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 10.101.1.2/500, remote crypto endpt.: 10.101.1.1/500
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0C21AEFC
current inbound spi : 4DF60EA4

inbound esp sas:
spi: 0x4DF60EA4 (1307971236)
SA State: active
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 126038016, crypto-map: WAN_map
sa timing: remaining key lifetime (kB/sec): (4192948/25782)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x0C21AEFC (203534076)
SA State: active
transform: esp-des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 126038016, crypto-map: WAN_map
sa timing: remaining key lifetime (kB/sec): (4239142/25781)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Note: The connections to the Hub are for just management.