ikev2 VPN tunnel troubleshooting - Page 2

andreycgipokorskiy · ‎01-31-2023

Hello Community!

Need expert advice on troubleshooting the ikev2 VPN tunnel. The tunnel is in "UP" state and the remote and local selectors are also in UP state. The role of the tunnel is "RESPONDER" on our side. As far as I understand, this means that the remote site must initiate a VPN connection. Problem: we have local traffic that should connect to the remote servers, but the firewall has no routes to those IP addresses through the VPN (V ) is connected in the routing table. We have a second firewall and it works fine, no problem. Is it possible if the VPN s-t-s tunnel is initiated from the remote site as our ikev2 "ANSWER" tunnel role? Do I have to call the remote site to confirm the tunnel and access control list settings?

Thank you!
Sincerely,

Andrey P.

andreycgipokorskiy · ‎01-31-2023

Thank you Rob!
I'll ... but need to check if I can do it ... this is production and need to be careful with any command there

andreycgipokorskiy · ‎01-31-2023

I checked the SPIs and it all matched now:

current outbound spi: CA5C71C6 outbound esp sas: spi: 0xCA5C71C6 (3395056070)
current inbound spi : 9D149715 inbound esp sas: spi: 0x9D149715 (2635372309)

current outbound spi: D50D7FB4 outbound esp sas: spi: 0xD50D7FB4 (3574431668)
current inbound spi : 76979EEA inbound esp sas: spi: 0x76979EEA (1989648106)

MHM Cisco World · ‎01-31-2023

you match
crypto ikev2 sa with crypto ipsec sa ??
if it match then
try ping now and check count.

andreycgipokorskiy · ‎01-31-2023

Unfortunately I can't
There is one more firewall that filter the traffic by profile ....
I'll send request to client if they can do it for me
Thank you Rob!

Rob Ingram · ‎01-31-2023

@andreycgipokorskiy sounds like the firewall could be the problem, as you previously had working IPSec SAs established.

Check the firewall for drops

You didn't provide an answer to my previous question, I wanted to know if the established SAs is for the traffic you want to communicate with over the tunnel?

andreycgipokorskiy · ‎02-01-2023

Hello Rob!
I'm sorry
I was busy yesterday
There is no established SAs for interesting traffic as all traffic denied by firewall rule as it forwarded to wrong interface

Rob Ingram · ‎02-01-2023

@andreycgipokorskiy ok, so you now know where the problem is and how to resolve?

andreycgipokorskiy · ‎02-01-2023

I think I should check the remote side ACL and interesting traffic on our side

MHM Cisco World · ‎02-01-2023

from yesterday I think what make ASA have different SPI ??
what I think is that you have two IPSec L2L VPN Peer behind same NAT device and you disable NAT-T or NAT-T not work, this can lead to this case I think.

andreycgipokorskiy · ‎02-02-2023

Thank you MHM Cisco World!!
I'll check NAT-T!

andreycgipokorskiy · ‎02-02-2023

Thank you Rob!

I'll check NAT-T!