cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
164
Views
0
Helpful
3
Replies

Issue with a site to site vpn tunnel

loc.nguyen
Beginner
Beginner

Hi,

We have a site to site vpn tunnel, it stops working after a day or so.

We set up

 local is: 10.200.0.0/24

remote: 10.184.1.128/26

I don't know why firewall created sa with 10.184.1.128/255.255.255.224. See below. I checked we did not set up 10.184.1.128/255.255.255.224 anywhere. 

ftd-1# show crypto ipsec sa peer 20.x.x.93 | i ident|encap|decap
local ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.184.1.128/255.255.255.192/0/0)
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 766843, #pkts decrypt: 766843, #pkts verify: 766843
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
local ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.184.1.128/255.255.255.224/0/0)
#pkts encaps: 739076, #pkts encrypt: 739076, #pkts digest: 739076
#pkts decaps: 1071625, #pkts decrypt: 1071625, #pkts verify: 1071625
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
local ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.184.1.128/255.255.255.224/0/0)
#pkts encaps: 343708, #pkts encrypt: 343708, #pkts digest: 343708
#pkts decaps: 1011469, #pkts decrypt: 1011469, #pkts verify: 1011469
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
local ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.184.1.128/255.255.255.224/0/0)
#pkts encaps: 766345, #pkts encrypt: 766345, #pkts digest: 766345
#pkts decaps: 967327, #pkts decrypt: 967327, #pkts verify: 967327
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
local ident (addr/mask/prot/port): (10.200.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.184.1.128/255.255.255.224/0/0)
#pkts encaps: 2956450, #pkts encrypt: 2956450, #pkts digest: 2956450
#pkts decaps: 994641, #pkts decrypt: 994641, #pkts verify: 994641
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
ftd-1#

Could you advise where should I check next?

THanks

Loc

3 Replies 3

balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

what is another side, i would suggest checking both the side config again and making sure the information matches on both sides?

on FTD is this route based config ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World
VIP Mentor VIP Mentor
VIP Mentor

can I see the config ?

BmfL
Beginner
Beginner

You need to review the configuration on both ends to find some misconfiguration. After reviewing, if you did not see any problem please use aditional comands for deeper visibility.

Use the command show asp drop to verify if there are drops happening.

Use as well:

show crypto isakmp sa
show crypto ipsec sa

show crypto engine connection active

debug crypto isakmp
debug crypto ipsec

You can add "filters" on the commands above in order to see output related to your specific tunnel.

Take a look into the deiference on decap / encap packets:

#pkts encaps: 2956450, #pkts encrypt: 2956450, #pkts digest: 2956450
#pkts decaps: 994641, #pkts decrypt: 994641, #pkts verify: 994641

Also, make sure there are not ESP blocking packets at provider side...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers