10-27-2022 09:52 AM
Hi,
We have a site to site vpn tunnel, it stops working after a day or so.
We set up
local is: 10.200.0.0/24
remote: 10.184.1.128/26
I don't know why firewall created sa with 10.184.1.128/255.255.255.224. See below. I checked we did not set up 10.184.1.128/255.255.255.224 anywhere.
ftd-1# show crypto ipsec sa peer 20.x.x.93 | i ident|encap|decap
local ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.184.1.128/255.255.255.192/0/0)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 766843, #pkts decrypt: 766843, #pkts verify: 766843
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
local ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.184.1.128/255.255.255.224/0/0)
#pkts encaps: 739076, #pkts encrypt: 739076, #pkts digest: 739076
#pkts decaps: 1071625, #pkts decrypt: 1071625, #pkts verify: 1071625
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
local ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.184.1.128/255.255.255.224/0/0)
#pkts encaps: 343708, #pkts encrypt: 343708, #pkts digest: 343708
#pkts decaps: 1011469, #pkts decrypt: 1011469, #pkts verify: 1011469
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
local ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.184.1.128/255.255.255.224/0/0)
#pkts encaps: 766345, #pkts encrypt: 766345, #pkts digest: 766345
#pkts decaps: 967327, #pkts decrypt: 967327, #pkts verify: 967327
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
local ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.184.1.128/255.255.255.224/0/0)
#pkts encaps: 2956450, #pkts encrypt: 2956450, #pkts digest: 2956450
#pkts decaps: 994641, #pkts decrypt: 994641, #pkts verify: 994641
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
ftd-1#
Could you advise where should I check next?
THanks
Loc
10-27-2022 11:19 AM
what is another side, i would suggest checking both the side config again and making sure the information matches on both sides?
on FTD is this route based config ?
10-27-2022 01:30 PM
can I see the config ?
10-28-2022 06:12 AM
You need to review the configuration on both ends to find some misconfiguration. After reviewing, if you did not see any problem please use aditional comands for deeper visibility.
Use the command show asp drop to verify if there are drops happening.
Use as well:
show crypto isakmp sa
show crypto ipsec sa
show crypto engine connection active
debug crypto isakmp
debug crypto ipsec
You can add "filters" on the commands above in order to see output related to your specific tunnel.
Take a look into the deiference on decap / encap packets:
#pkts encaps: 2956450, #pkts encrypt: 2956450, #pkts digest: 2956450
#pkts decaps: 994641, #pkts decrypt: 994641, #pkts verify: 994641
Also, make sure there are not ESP blocking packets at provider side...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide