Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3661
Views
0
Helpful
1
Replies

IPSec Site to Site - Encaps but No Decaps (Router ISR4221 to Cisco ASA 5505)

geocamus
Level 1
Level 1

‎04-09-2019 09:45 AM - edited ‎02-21-2020 09:37 PM

Hello friends, I would like to request your support as I have a Site-to-Site connection configured on my ISR4221 Router to another company with a Cisco ASA 5505.
I see that the packages are encapsulated, but not uncapped. I have reviewed the log and can not find where I might have the error, my configurations as VPN, NAT, NO-NAT I have tried them in different ways and it gives the same error. I do not think it's connection error to the internal subnet. I think the error is encryption and decryption of packets in the VPN tunnel. It should be noted that the VPN Tunnel is established correctly.


INFORMATION:
My Public IP Address: A.B.C.D
My SubNetwork: 172.16.255.0/24 - Host Used on this Script: 172.16.255.37/24
Public IP Address other site: W.X.Y.Z
SubNetwork other site:172.18.199.0/24


R1#SHOW CRYPTO IPSEC SA

protected vrf: (none)
local ident (addr/mask/prot/port): (172.16.255.37/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.18.199.0/255.255.255.0/0/0)
current_peer W.X.Y.Z port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 399, #pkts encrypt: 399, #pkts digest: 399
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: A.B.C.D, remote crypto endpt.: W.X.Y.Z
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x498E008F(1234043023)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xE6ADD75C(3870152540)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2285, flow_id: ESG:285, sibling_flags FFFFFFFF80000048, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4608000/3370)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x498E008F(1234043023)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2286, flow_id: ESG:286, sibling_flags FFFFFFFF80000048, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4607995/3370)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

 

R1#show crypto session
Crypto session current status

Interface: GigabitEthernet0/0/0
Session status: UP-ACTIVE
Peer: W.X.Y.Z port 500
Session ID: 0
IKEv1 SA: local A.B.C.D/500 remote W.X.Y.Z/500 Active
IPSEC FLOW: permit ip host 172.16.255.38 172.18.199.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 172.16.255.37 172.18.199.0/255.255.255.0
Active SAs: 2, origin: crypto map

3 people had this problem
Labels:
Preview file
22 KB
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎04-09-2019 01:33 PM

Hi,
Assuming your router is configured correctly, you should get the other company to confirm their configuration and determine the output of "show crypto ipsec sa" and check encaps|decaps. They may not be sending traffic via the tunnel which is why you are not getting an decaps on your end. They should check nat and routing.

HTH
0 Helpful
Customers Also Viewed These Support Documents