cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2179
Views
0
Helpful
6
Replies

IPsec vpn qns

cashqoo
Level 1
Level 1

hi,

i have 2 questions on IPsec vpn

i have a asa running ipsec vpn (l2l) to remote site with network of 192.168.0.0/24

1> i can ping 192.168.0.1 but not 192.168.0.111. i had observed "recv errors" whenever i ping to 192.168.0.111.

i had observed recevied errors from "show crypto ipsec sa" output; but not since the tunnel reconnect (after timeout) and w/o any changes to the config.

what could be the cause and how can i troubleshoot, just in case the errors return? i cant find much info on the "recv errors".

2> i understand there are 2 acl required for a typical ipsec vpn; 1 for no NAT, 1 for crypto map match address

can i implement a acl to allow only 3389 tcp from the remote network to my local network on the asa?

thanks

cash

1 Accepted Solution

Accepted Solutions

Hi Cash,

There is not much we can do here in regards to this isuse.

You can talk to your ISP and see if they are modifying the packets in any way.

Also ask them to check for any problems on the circuit.


Cheers,

Nash.

View solution in original post

6 Replies 6

apothula
Level 1
Level 1

Hi Cash,

Receive errors are generally seen if the packet is malformed or if the packet is modified by an device on the transit path resulting in checksums failing and other stuff.

So, it is not such big a cause of concern and as you said on renegotiation the issue has been resolved.

As far as your question about TCP port 3389 is concerned, do you want to allow only TCP port 3389 across the VPN ?

If so, we could use VPN filters. It is a better idea and implementation as opposed to using 3389 in the crypto ACL.

The guide for setting up VPN filters on Cisco ASA is provided in the link below,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Cheers,

Nash.

hi,

i am getting the recv errors again. the other end seems to be having intermediate problem communicating w my local machines.

the ping (from remote end to local) failed. there are packets w invalid identity from show crypto ipsec sa detail.

am i missing something??

# show crypto ipsec sa detail
interface: outside
    Crypto map tag: mymap, seq num: 30, local addr:

      access-list permit ip 172.16.10.0 255.255.255.0 192.168.0.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
      current_peer:

      #pkts encaps: 7101, #pkts encrypt: 7101, #pkts digest: 7101
      #pkts decaps: 7542, #pkts decrypt: 6710, #pkts verify: 6710
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 7101, #pkts comp failed: 0, #pkts decomp failed: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 832, #pkts invalid len (rcv): 0
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: , remote crypto endpt.:

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 38C7E0BF

    inbound esp sas:
      spi: 0x8989134D (2307461965)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 24, crypto-map: mymap
         sa timing: remaining key lifetime (sec): 20728
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x38C7E0BF (952623295)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 24, crypto-map: mymap
         sa timing: remaining key lifetime (sec): 20728
         IV size: 8 bytes
         replay detection support: Y

Hi Cash,


Please go through my earlier message.

Cheers,


Nash.

hi,

i am assuming you want me to refer to this line "Receive errors are generally seen if the packet is malformed or if the  packet is modified by an device on the transit path resulting in  checksums failing and other stuff.".

but how can i resolve this? or troubleshoot?

regards

Hi Cash,

There is not much we can do here in regards to this isuse.

You can talk to your ISP and see if they are modifying the packets in any way.

Also ask them to check for any problems on the circuit.


Cheers,

Nash.

whoa.

this is a bit tricky for me, since both sites are in different countries.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: