cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
572
Views
0
Helpful
0
Replies

IPSec tunnel is UP-Active, cannot access any host on either side.

jigargajra
Level 1
Level 1

We have IPSec tunnel between 2 sites.

Hub Site: Cisco ASA 5515 
Remote Site: Cisco FTD 1010 running on ASA image.

 

We recently upgraded our IPSec tunnel from ikev1 to ikev2. The tunnel was working fine for 2 days and suddenly stopped working.

Both the sites shows tunnel status is UP-active, but we cannot access any server behind both these sites.

 

Hub Site 

2508575053      zz.zz.zz.zz/500        yy.yy.yy.yy/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/66 sec
Child sa: local selector  10.15.0.0/0 - 10.15.15.255/65535
          remote selector 192.168.190.0/0 - 192.168.190.255/65535
          ESP spi in/out: 0xd1b2a5e3/0xf9a9ff67  

 

Remote Site:

sh crypto isakmp sa 

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
 35786429 yy.yy.yy.yy/500                                      zz.zz.zz.zz/500                                         READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/68 sec
Child sa: local selector  192.168.190.0/0 - 192.168.190.255/65535
          remote selector 10.15.0.0/0 - 10.15.15.255/65535
          ESP spi in/out: 0xf9d9e2c7/0x6fcf6ed3  
0 Replies 0