IPSEC Problem

arshad.usmani · ‎02-23-2009

We Have an end to End IPSEC Tunnel between Point A and Point B.

Both the End IPSEC is UP and status are as follows :-

------------Point A-------------------------

Router A#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

57.72.23.101 116.228.146.118 QM_IDLE 2013 0 ACTIVE

IPv6 Crypto ISAKMP SA

Router A#sh crypto ipsec sa

interface: FastEthernet4

Crypto map tag: From_FastEthernet4, local addr 116.228.146.118

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 57.72.23.101 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 116.228.146.118, remote crypto endpt.: 57.72.23.101

path mtu 1500, ip mtu 1500

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

---------Point B------------------------

Router B#sh crypto isakmp sa vrf pointB | inc 116.228.146.118

57.72.23.101 116.228.146.118 QM_IDLE 157 0

Router B#sh crypto ipsec sa vrf PointB | b 116.228.146.118

current_peer: 116.228.146.118:500

PERMIT, flags={}

#pkts encaps: 24, #pkts encrypt: 24, #pkts digest: 24

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 57.72.23.101, remote crypto endpt.: 116.228.146.118

path mtu 1500, media mtu 1500

current outbound spi: BE014FB9

inbound esp sas:

spi: 0xA690AE43(2794499651)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot/subslot: 8/0, conn id: 11017, flow_id: 103, crypto map: ups_brown_net_dslbackup_map

crypto engine type: Hardware, engine_id: 2

sa timing: remaining key lifetime (k/sec): (4565127/550)

ike_cookies: 29E6AAFE 0C8FB7E9 28E0C772 EBF5FCA7

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

As shown in Log that packet (pkts Decaps)is not De-encapsulated on Router B and is getting DrOpped.

Any Suggestion in Problem above.

arshad.usmani · ‎02-23-2009

I can see the packets flow from the Router A:

psha1381#sh crypto ipsec sa

interface: FastEthernet4

Crypto map tag: From_FastEthernet4, local addr 116.228.146.118

protected vrf: (none)

local ident (addr/mask/prot/port): (57.215.221.18/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

current_peer 57.72.23.101 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 47, #pkts encrypt: 47, #pkts digest: 47

#pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23

#pkts compressed: 0, #pkts decompressed: 0

B) Also when, I run a icmp debug, I see the below message

Mar 13 01:59:08.233: ICMP: echo reply sent, src 57.215.221.18, dst 57.7.21.185

*Mar 13 01:59:08.237: ICMP: dst (116.228.146.118) administratively prohibited unreachable rcv from 218.1.20.50

*Mar 13 01:59:09.225: ICMP: echo reply sent, src 57.215.221.18, dst 57.7.21.185

*Mar 13 01:59:09.229: ICMP: dst (116.228.146.118) administratively prohibited unreachable rcv from 218.1.20.50

*Mar 13 01:59:10.225: ICMP: echo reply sent, src 57.215.221.18, dst 57.7.21.185

*Mar 13 01:59:10.229: ICMP: dst (116.228.146.118) administratively prohibited unreachable rcv from 218.1.20.50