01-31-2023 11:08 AM
Hello Community!
Need expert advice on troubleshooting the ikev2 VPN tunnel. The tunnel is in "UP" state and the remote and local selectors are also in UP state. The role of the tunnel is "RESPONDER" on our side. As far as I understand, this means that the remote site must initiate a VPN connection. Problem: we have local traffic that should connect to the remote servers, but the firewall has no routes to those IP addresses through the VPN (V ) is connected in the routing table. We have a second firewall and it works fine, no problem. Is it possible if the VPN s-t-s tunnel is initiated from the remote site as our ikev2 "ANSWER" tunnel role? Do I have to call the remote site to confirm the tunnel and access control list settings?
Thank you!
Sincerely,
Andrey P.
01-31-2023 01:27 PM
Thank you Rob!
I'll ... but need to check if I can do it ... this is production and need to be careful with any command there
01-31-2023 01:32 PM
I checked the SPIs and it all matched now:
current outbound spi: CA5C71C6 outbound esp sas: spi: 0xCA5C71C6 (3395056070)
current inbound spi : 9D149715 inbound esp sas: spi: 0x9D149715 (2635372309)
current outbound spi: D50D7FB4 outbound esp sas: spi: 0xD50D7FB4 (3574431668)
current inbound spi : 76979EEA inbound esp sas: spi: 0x76979EEA (1989648106)
01-31-2023 01:37 PM
you match
crypto ikev2 sa with crypto ipsec sa ??
if it match then
try ping now and check count.
01-31-2023 01:49 PM
Unfortunately I can't
There is one more firewall that filter the traffic by profile ....
I'll send request to client if they can do it for me
Thank you Rob!
01-31-2023 01:58 PM
@andreycgipokorskiy sounds like the firewall could be the problem, as you previously had working IPSec SAs established.
Check the firewall for drops
You didn't provide an answer to my previous question, I wanted to know if the established SAs is for the traffic you want to communicate with over the tunnel?
02-01-2023 10:43 AM
Hello Rob!
I'm sorry
I was busy yesterday
There is no established SAs for interesting traffic as all traffic denied by firewall rule as it forwarded to wrong interface
02-01-2023 11:00 AM
@andreycgipokorskiy ok, so you now know where the problem is and how to resolve?
02-01-2023 11:03 AM
I think I should check the remote side ACL and interesting traffic on our side
02-01-2023 11:45 AM
from yesterday I think what make ASA have different SPI ??
what I think is that you have two IPSec L2L VPN Peer behind same NAT device and you disable NAT-T or NAT-T not work, this can lead to this case I think.
02-02-2023 08:18 AM
Thank you MHM Cisco World!!
I'll check NAT-T!
02-02-2023 06:35 AM
Thank you Rob!
I'll check NAT-T!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide