Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
325
Views
0
Helpful
2
Replies

IPSec VPN Problem: AnyConnect works, IPSec not

opticomDA
Level 1
Level 1

‎05-12-2016 07:26 AM - edited ‎02-21-2020 08:49 PM

Hi,

we are using AnyConnect VPN on our ASA5512 without any problems.

Now, cause we need to connect an iPad to the VPN Network, we activated IPSec for the same Group Policy. Everything seems to be ok, the tunnel comes up and the client recieves an IP Adress. The problem is, we cannot reach any devices through the IPSec tunnel. IPSec Session Monitoring shows a lot of Rx packets, but no Tx packets. On the one hand it seems to be routing problem but on the other hand at the same time SSL VPN with same settings works perfectly... and there is no difference between the IPSec and SSL VPN routing, isn't it?

Log shows no errors for this connection.

show crypto isakmp

15  IKE Peer: 111.111.111.111
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

show crypto ipsec sa

Crypto map tag: outside_dyn_map, seq num: 110, local addr: 222.222.222.222

      access-list outside_cryptomap_65535.110 extended permit ip any 172.16.254.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.66.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.254.10/255.255.255.255/0/0)
      current_peer: 111.111.111.111, username: Administrator
      dynamic allocated peer ip: 172.16.254.10
      dynamic allocated peer ip(ipv6): 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 359, #pkts decrypt: 359, #pkts verify: 359
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 222.222.222.222/4500, remote crypto endpt.: 111.111.111.111/59092
      path mtu 1500, ipsec overhead 82(52), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 0D0AF25E
      current inbound spi : 1D67546C

    inbound esp sas:
      spi: 0x1D67546C (493311084)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 29245440, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 2880
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          ...0x00000000 0x00000000 0x00000000 0x00000000...
    outbound esp sas:
      spi: 0x0D0AF25E (218821214)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={RA, Tunnel,  NAT-T-Encaps, IKEv1, }
         slot: 0, conn_id: 29245440, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 2880
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          ...0x00000000 0x00000000 0x00000000 0x00000000...

Any Idea what the problem could be?

Labels:
0 Helpful
2 Replies 2

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎05-12-2016 07:37 AM

Hi,

Could you enable crypto isakmp nat-traversal on the ASA and check ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

opticomDA
Level 1
Level 1
In response to Aditya Ganjoo

‎05-12-2016 07:55 AM

Hi Aditya,

thank you, but nothing changed after enabeling nat-t

0 Helpful
Customers Also Viewed These Support Documents