09-27-2017 03:33 AM - edited 03-12-2019 04:34 AM
Hi everyone
I am trying a to establish IPSEC ikev1 tunnel mellem a ASA with default parameters and Cisco router. When I ping from both side of LAN behinde ASA or the router the tunnel comes up. Both phase 1 and 2 compleated.
But output "show crypto IPSEC sa" shows that only pckts become encrp and counter increasing but not decro pckt counter. This behave goes for both side of tunnels.
What can be wroung? I copied output of output show crypto IPSEC sa for both ASA and Crouter.
I appreciate any help.
OUTPUT on Cisco router:
protected vrf: A-TRANS-2
local ident (addr/mask/prot/port): (10.245.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.68.3.0/255.255.255.0/0/0)
current_peer 9*.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1*.x.x.x, remote crypto endpt.: 9*.x.x.x
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x80228938(2149747000)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x27D63456(668349526)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4529, flow_id: ESG:2529, sibling_flags FFFFFFFF80004048, crypto map: s2s
sa timing: remaining key lifetime (k/sec): (4608000/3584)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x80228938(2149747000)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4530, flow_id: ESG:2530, sibling_flags FFFFFFFF80004048, crypto map: s2s
sa timing: remaining key lifetime (k/sec): (4607998/3584)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
---------------
OUTPUT on ASA:
Crypto map tag: outside_map0, seq num: 1, local addr: 9*.x.x.x
access-list outside_cryptomap_2 extended permit ip 10.68.3.0 255.255.255.0 10.245.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.68.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.245.0.0/255.255.0.0/0/0)
current_peer: 1*.x.x.x
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 9*.x.x.x/0, remote crypto endpt.: 1*.x.x.x/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 189E3E1A
current inbound spi : 29A10488
inbound esp sas:
spi: 0x29A10488 (698418312)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 303104, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4374000/3557)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x189E3E1A (413023770)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 303104, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4373999/3502)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ciscoasa#
Solved! Go to Solution.
09-27-2017 04:20 AM
09-27-2017 04:20 AM
09-27-2017 05:32 AM
Hi
Traceroute from both side shows that packets are arriving in right device.
10-05-2017 02:10 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide