11-16-2010 08:23 PM - edited 02-21-2020 04:58 PM
hi,
i have 2 questions on IPsec vpn
i have a asa running ipsec vpn (l2l) to remote site with network of 192.168.0.0/24
1> i can ping 192.168.0.1 but not 192.168.0.111. i had observed "recv errors" whenever i ping to 192.168.0.111.
i had observed recevied errors from "show crypto ipsec sa" output; but not since the tunnel reconnect (after timeout) and w/o any changes to the config.
what could be the cause and how can i troubleshoot, just in case the errors return? i cant find much info on the "recv errors".
2> i understand there are 2 acl required for a typical ipsec vpn; 1 for no NAT, 1 for crypto map match address
can i implement a acl to allow only 3389 tcp from the remote network to my local network on the asa?
thanks
cash
Solved! Go to Solution.
11-17-2010 01:43 AM
Hi Cash,
There is not much we can do here in regards to this isuse.
You can talk to your ISP and see if they are modifying the packets in any way.
Also ask them to check for any problems on the circuit.
Cheers,
Nash.
11-17-2010 12:37 AM
Hi Cash,
Receive errors are generally seen if the packet is malformed or if the packet is modified by an device on the transit path resulting in checksums failing and other stuff.
So, it is not such big a cause of concern and as you said on renegotiation the issue has been resolved.
As far as your question about TCP port 3389 is concerned, do you want to allow only TCP port 3389 across the VPN ?
If so, we could use VPN filters. It is a better idea and implementation as opposed to using 3389 in the crypto ACL.
The guide for setting up VPN filters on Cisco ASA is provided in the link below,
Cheers,
Nash.
11-17-2010 01:25 AM
hi,
i am getting the recv errors again. the other end seems to be having intermediate problem communicating w my local machines.
the ping (from remote end to local) failed. there are packets w invalid identity from show crypto ipsec sa detail.
am i missing something??
# show crypto ipsec sa detail
interface: outside
Crypto map tag: mymap, seq num: 30, local addr:
access-list
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
current_peer:
#pkts encaps: 7101, #pkts encrypt: 7101, #pkts digest: 7101
#pkts decaps: 7542, #pkts decrypt: 6710, #pkts verify: 6710
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7101, #pkts comp failed: 0, #pkts decomp failed: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 832, #pkts invalid len (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.:
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 38C7E0BF
inbound esp sas:
spi: 0x8989134D (2307461965)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 24, crypto-map: mymap
sa timing: remaining key lifetime (sec): 20728
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x38C7E0BF (952623295)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 24, crypto-map: mymap
sa timing: remaining key lifetime (sec): 20728
IV size: 8 bytes
replay detection support: Y
11-17-2010 01:32 AM
Hi Cash,
Please go through my earlier message.
Cheers,
Nash.
11-17-2010 01:39 AM
hi,
i am assuming you want me to refer to this line "Receive errors are generally seen if the packet is malformed or if the packet is modified by an device on the transit path resulting in checksums failing and other stuff.".
but how can i resolve this? or troubleshoot?
regards
11-17-2010 01:43 AM
Hi Cash,
There is not much we can do here in regards to this isuse.
You can talk to your ISP and see if they are modifying the packets in any way.
Also ask them to check for any problems on the circuit.
Cheers,
Nash.
11-17-2010 01:53 AM
whoa.
this is a bit tricky for me, since both sites are in different countries.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide