cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
497
Views
0
Helpful
3
Replies

Issue with L2L VPN between ASA 5506 and ASA 5525X

ttcroziercisco
Level 1
Level 1

Hi All,

We are in the initial phase of deploying Cisco ASA 5506's to our remote offices for redundant connectivity to our centralized data-center.  I am experiencing an issue I have never seen before and I have been working with vpn's for a long time.

 

The 5525 is running 8.6 and the 5506 is running 9.3.2.  In a test environment when I initiate traffic from a the 5506 side, the vpn gets established and there are valid SA's created.  However, traffic is never returned and I and Cisco are having a hard time finding the issue leading me to think there is a bug.

Here is what I see:

From the 5506 side, I see the Encaps increase but have 0 decaps.  On the 5525 side, I see the encaps and decaps increase.  Usually, one side's encaps always equates to the other sides decaps.   On the 5525 end, I do see this error in the logs:

ASA-7-710006: ESP request discarded from 5506_public_ip to the 5525_public_ip.  Now this would explain why the 5506 has 0 decaps, but after working with Cisco for the past couple of days, we havent been able to identify the cause.  He did verify that the configuration is correct, and the a vpn from a location using a 5505 does not have the same issue.

 

Any help would be appreciated!

 

 

 

 

 

3 Replies 3

Hello,

 

even tho you get ESP packets on 5506 still have  0 decaps?. please get the;

 

#show mem

#show cpu usa

#show block

 

of both ASAs

01-22-fw-idc# show memory
Free memory:        3257102384 bytes (76%)
Used memory:        1037864912 bytes (24%)
-------------     ------------------
Total memory:       4294967296 bytes (100%)

 

01-22-fw-idc# show cpu usage
CPU utilization for 5 seconds = 4%; 1 minute: 4%; 5 minutes: 4%

 

01-22-fw-idc# show blocks
  SIZE    MAX    LOW    CNT
     0   1450   1368   1450
     4    400    399    399
    80   2044   1916   2043
   256   3100   3028   3095
  1550  12624  12494  12620
  2048   1848   1848   1848
  2560   2964   2963   2964
  4096    100    100    100
  8192    100    100    100
  9344    100    100    100
 16384    157    157    157
 65536     16     16     16

 

 

Also, when the tunnel is up and I initiate traffic from the 5525 side, I always see:

ESP request discarded message.

 

I think the 5525 needs a reboot, as I removed the global policy-map, disabled and re-enabled all crypto settings, and also set up a 2nd vpn from the 5506 to another 5525 in our colo.  That had no issue and the 5525 have the same code and config.