Ipsec troubleshooting

tanmoymm91 · ‎06-07-2023

HI Team, in our site there is ASA FW which is has a IPSec tunnel built from it to a remote customer site which has fortigate FW.
The tunnel is up and working fine from long time, but recently we have added one entry in the crypto map interesting traffic ACL as one new subnet has been added at our end and same has been allowed in tunnel ACL.

But while doing sh crypto ipsec sa i m not seeing anything for that particular ACL entry

Although the forward traffic is reaching ASA but not getting into the tunnel, even routing is also in place.

MHM Cisco World · ‎06-07-2023

do you use IKEv1 or IKEv2?

tanmoymm91 · ‎06-08-2023

Its IKEv1

MHM Cisco World · ‎06-08-2023

First check remote lan of acl ipsec is it conflict with any other acl of other ipsec s2s vpn

And as @Rob Ingram mention add no-nat for this traffic

Rob Ingram · ‎06-08-2023

@tanmoymm91 did you create a NAT exemption rule for this new remote network to ensure traffic is not unintentially translated?

Example:- nat (INSIDE,OUTSIDE) source static LAN LAN destination static REMOTE1 REMOTE1

Obviously create objects to reflect the LAN and REMOTE1 networks.

I assume you generated interesting traffic to establish the tunnel?

Run packet-tracer from the CLI twice to simulate the traffic and provide the output from the second.

tanmoymm91 · ‎06-08-2023

No nat exemption rule configured .

Rob Ingram · ‎06-08-2023

@tanmoymm91 well you will probably need it other wise the VPN traffic would be unintentially translated, therefore not match the crypto ACL - this assumes NAT is configured on the firewall for internet access. Create a rule as per the example above.