01-06-2018 06:14 AM - edited 03-12-2019 04:53 AM
Hello everyone,
I have an urgent problem with a site-to-site VPN configuration. The channel is UP, phase 1 (IKEV1) and phase 2 (Ipsec) are OK, I can see the connection with Cisco ASDM in the Monitoring section but unfortunately, doing an IP packet tracer I get DROP in the VPN phase, although the tunnel is activated correctly.
Making a telnet to the destination internal IP does not succeed, but I see the TX bytes increases, but those RX remain at 0.
Please can you help me? what is missing? I have a Cisco ASA V.9.5 (ASA 5506)
My sh crypto isakmp sa:
fw-plabs(config)# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 62.97.2.6
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
MY SH CRYPTO IPSEC SA
fw-plabs(config)# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 88.63.105.66
access-list outside_cryptomap_2 extended permit ip 172.16.45.0 255.255.255 .0 10.209.21.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.45.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.209.21.0/255.255.255.0/0/0)
current_peer: 62.97.2.6
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 88.63.105.66/0, remote crypto endpt.: 62.97.2.6/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CD487401
current inbound spi : 98EF46B9
inbound esp sas:
spi: 0x98EF46B9 (2565818041)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 352256, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/27745)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xCD487401 (3444077569)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 352256, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373999/27745)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
thanks a lot.
Regards
Miky_506
01-06-2018 06:23 AM
Duplicate post. Please post a given question in one forum only.
01-06-2018 06:30 AM
01-06-2018 06:34 AM
It's OK - I moved the other post for you since I had already replied to it.
You can always relocate your own posts - just click the three dots in the top right of the post.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide