Solved: Re: L2L VPN Issue **No Tx and No Rx**

Magdiel Irad Sanchez Reyna · ‎02-09-2013

Hi Buddies,

I have a problem with 2 ASA´s 5540 and 5510 version 8.4.3 and 8.2.5 respectively, TOPOLOGY: LAN--ASA------*WAN*-------ASA-----LAN

On the 5540 side I dont have TX

# sh vpn-sessiondb detail l2l

Session Type: LAN-to-LAN Detailed

Connection : 189.213.94.5

Index : 107 IP Addr : 189.213.94.5

Protocol : IKEv1 IPsec

Encryption : 3DES 3DES 3DES Hashing : SHA1 SHA1 SHA1

Bytes Tx : 0 Bytes Rx : 19104

Login Time : 09:30:57 CST Fri Feb 8 2013

Duration : 0h:14m:12s

IKEv1 Tunnels: 1

IPsec Tunnels: 2

IKEv1:

Tunnel ID : 107.1

UDP Src Port : 500 UDP Dst Port : 500

IKE Neg Mode : Main Auth Mode : preSharedKeys

Encryption : 3DES Hashing : SHA1

Rekey Int (T): 86400 Seconds Rekey Left(T): 85549 Seconds

D/H Group : 2

Filter Name : OUTSIDE_cryptomap_1

IPv6 Filter :

IPsec:

Tunnel ID : 107.2

Local Addr : 10.10.0.0/255.255.255.0/0/0

Remote Addr : 192.168.2.0/255.255.255.0/0/0

Encryption : 3DES Hashing : SHA1

Encapsulation: Tunnel PFS Group : 2

Rekey Int (T): 28800 Seconds Rekey Left(T): 27949 Seconds

Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607991 K-Bytes

Idle Time Out: 0 Minutes Idle TO Left : 0 Minutes

Bytes Tx : 0 Bytes Rx : 10200

Pkts Tx : 0 Pkts Rx : 170

IPsec:

Tunnel ID : 107.3

Local Addr : 10.5.0.0/255.255.0.0/0/0

Remote Addr : 192.168.2.0/255.255.255.0/0/0

Encryption : 3DES Hashing : SHA1

Encapsulation: Tunnel PFS Group : 2

Rekey Int (T): 28800 Seconds Rekey Left(T): 27952 Seconds

Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607992 K-Bytes

Idle Time Out: 0 Minutes Idle TO Left : 0 Minutes

Bytes Tx : 0 Bytes Rx : 8904

Pkts Tx : 0 Pkts Rx : 84

NAC:

Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds

SQ Int (T) : 0 Seconds EoU Age(T) : 852 Seconds

Hold Left (T): 0 Seconds Posture Token:

Redirect URL :

And in the 5510 side I dont have Rx

# sh vpn-sessiondb detail l2l

Session Type: LAN-to-LAN Detailed

Connection : 201.140.121.82

Index : 695 IP Addr : 201.140.121.82

Protocol : IKE IPsec

Encryption : 3DES Hashing : SHA1

Bytes Tx : 22480 Bytes Rx : 0

Login Time : 17:33:15 CST Fri Feb 8 2013

Duration : 0h:16m:32s

IKE Tunnels: 1

IPsec Tunnels: 2

IKE:

Tunnel ID : 695.1

UDP Src Port : 500 UDP Dst Port : 500

IKE Neg Mode : Main Auth Mode : preSharedKeys

Encryption : 3DES Hashing : SHA1

Rekey Int (T): 86400 Seconds Rekey Left(T): 85407 Seconds

D/H Group : 2

Filter Name :

IPsec:

Tunnel ID : 695.2

Local Addr : 192.168.2.0/255.255.255.0/0/0

Remote Addr : 10.10.0.0/255.255.255.0/0/0

Encryption : 3DES Hashing : SHA1

Encapsulation: Tunnel PFS Group : 2

Rekey Int (T): 28800 Seconds Rekey Left(T): 27808 Seconds

Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 0 K-Bytes

Idle Time Out: 0 Minutes Idle TO Left : 0 Minutes

Bytes Tx : 11880 Bytes Rx : 0

Pkts Tx : 198 Pkts Rx : 0

IPsec:

Tunnel ID : 695.3

Local Addr : 192.168.2.0/255.255.255.0/0/0

Remote Addr : 10.5.0.0/255.255.0.0/0/0

Encryption : 3DES Hashing : SHA1

Encapsulation: Tunnel PFS Group : 2

Rekey Int (T): 28800 Seconds Rekey Left(T): 27811 Seconds

Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 0 K-Bytes

Idle Time Out: 0 Minutes Idle TO Left : 0 Minutes

Bytes Tx : 10600 Bytes Rx : 0

Pkts Tx : 100 Pkts Rx : 0

NAC:

Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds

SQ Int (T) : 0 Seconds EoU Age(T) : 994 Seconds

Hold Left (T): 0 Seconds Posture Token:

Redirect URL :

Hope you guys could help me to figure out the issue properly.

thanks!

Gabriel Hill · ‎02-13-2013

Looks like your issue is that you have the route to 192.168.2.X pointing INSIDE on your 5540, when it should be pointing to your OUTSIDE interface, or just letting the default route take care of it.

Remove the static for 192.168.2.0 on the 5540:

no route INSIDE 192.168.2.0 255.255.255.0 10.10.0.1 1

Then see if two-way communication is happening. Try: packet-tracer input INSIDE icmp 10.10.0.1 1 1 192.168.2.1

again. If all checks out, see if you have two-way communication through the VPN.

View solution in original post

Andrew Phirsov · ‎02-09-2013

Does anything from networks 10.10.0.0/24 or 10.5.0.0/16 send traffic to 192.168.2.0/24?

Is everything correct with routing between protected subnets?

Magdiel Irad Sanchez Reyna · ‎02-11-2013

Thanks for your response Andrew,

Those networks are only Receiving Traffic not Sending, Im gonna post the config of both devices.

Do you have any clue??

paulstone80 · ‎02-12-2013

On the ASA-5510, you have: route inside 192.168.2.0 255.255.255.0 192.168.2.1 1

You don't need this because it's a locally connected subnet.

Are there routes on the LAN side of the ASA-5540 for 192.168.2.0/24 via 10.0.0.3?

HTH

Paul

****Please rate useful posts****

HTH Paul ****Please rate useful posts****

Magdiel Irad Sanchez Reyna · ‎02-12-2013

Hi Paul,

No on the LAN side there is a static router to a Catalyst 4500 and it forwards all the traffic to another ASA.

ESP protocol could be denied or not supported by the ISP?? but first I would need to validate that all is right configured on both ASA's.

Gabriel Hill · ‎02-12-2013

Hello Magdiel,

Your config looks correct, your tunnel establishes, and you have 1 way communication from the 5510 to the 5540.

This would lead me to believe that once traffic from 192.168.2.0 /24 got to the 5540 and sent to the destination network (for example on your first post 192.168.2.0 was talking to 10.10.0.0 and 10.5.0.0) that whatever routing you have behind the 5540 wasn't sending traffic destined for 192.168.2.0 back to the 5540.

Could you verify your routing from one of the 10.x.x.x servers behind the 5540 by doing a tracert to the 192.168.2.0 network.

-Gabriel

Magdiel Irad Sanchez Reyna · ‎02-13-2013

Hi Gabriel,

I have a 3750x and WS4500 both with static routes to the 192.168.2.0 and 11.0 to the 5540 inside interface directly connected (10.10.0.3) also to the Outside Public IP Adress of the 5510. Still the same.

when i perform a packet trace from the 5540 it shows me this:

# packet-tracer input oUTSIDE icmp 10.10.0.1 1 1 192.168.2.1 d$

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x77e67da8, priority=13, domain=capture, deny=false

hits=1068170, user_data=0x795be578, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

input_ifc=OUTSIDE, output_ifc=any

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x77f2ace0, priority=1, domain=permit, deny=false

hits=1119798, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=OUTSIDE, output_ifc=any

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.2.0 255.255.255.0 INSIDE

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group ACL-IN global

access-list ACL-IN extended permit ip any any

Additional Information:

Forward Flow based lookup yields rule:

in id=0x77ff59f8, priority=12, domain=permit, deny=false

hits=4116, user_data=0x73b535c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=any, output_ifc=any

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x77f2e9e8, priority=0, domain=inspect-ip-options, deny=true

hits=92718, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=OUTSIDE, output_ifc=any

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0x78a1c260, priority=70, domain=inspect-icmp, deny=false

hits=3428, user_data=0x78a1b790, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

input_ifc=OUTSIDE, output_ifc=any

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x77f2e5c0, priority=66, domain=inspect-icmp-error, deny=false

hits=3166, user_data=0x77f2dbd8, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

input_ifc=OUTSIDE, output_ifc=any

Phase: 8

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x7867f630, priority=13, domain=ipsec-tunnel-flow, deny=true

hits=22450, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=OUTSIDE, output_ifc=any

Phase: 9

Type: NAT

Subtype: rpf-check

Result: DROP

Config:

object network LAN-OUT

nat (INSIDE,OUTSIDE) dynamic interface

Additional Information:

Forward Flow based lookup yields rule:

out id=0x77fe64b8, priority=6, domain=nat-reverse, deny=false

hits=58, user_data=0x77fdf688, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=OUTSIDE, output_ifc=INSIDE

Result:

input-interface: OUTSIDE

input-status: up

input-line-status: up

output-interface: INSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Gabriel Hill · ‎02-13-2013

Run the packet trace again only like this:

packet-tracer input INSIDE icmp 10.10.0.1 1 1 192.168.2.1

Post your results.

-Gabriel

Magdiel Irad Sanchez Reyna · ‎02-13-2013

There is an implicit rule blocking it!

# packet-tracer input INSIDE icmp 10.10.0.1 1 1 192.168.2.1

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.2.0 255.255.255.0 INSIDE

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: INSIDE

input-status: up

input-line-status: up

output-interface: INSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

____________________________________________________________

# sh run access-list

access-list VPN-INSIDE extended permit ip any any

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.1.1.0 255.255.255.0

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.9.4.40 255.255.255.252

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.12.0.0 255.255.255.0

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.90.1.0 255.255.255.0

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.200.0.0 255.255.255.0

access-list VPN-PRUEBA_splitTunnelAcl standard permit 192.168.42.0 255.255.255.0

access-list VPN-PRUEBA_splitTunnelAcl standard permit 192.168.250.0 255.255.255.128

access-list VPN-PRUEBA_splitTunnelAcl standard permit 192.168.250.128 255.255.255.128

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.6.0.0 255.255.0.0

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.5.0.0 255.255.0.0

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.10.0.0 255.255.255.0

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.9.0.0 255.255.0.0

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.16.0.0 255.255.0.0

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.100.0.0 255.255.0.0

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.15.0.0 255.255.0.0

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.7.0.0 255.255.0.0

access-list VPN-PRUEBA_splitTunnelAcl standard permit 10.90.0.0 255.255.0.0

access-list VPN-PRUEBA_splitTunnelAcl standard permit host 140.X.X.X

access-list VPN-PRUEBA_splitTunnelAcl standard permit host 141.X.X.X

access-list VPN-PRUEBA_splitTunnelAcl standard permit 172.31.0.0 255.255.0.0

access-list INSIDE-OUT extended permit icmp any any echo-reply

access-list INSIDE-OUT extended permit icmp any any time-exceeded

access-list INSIDE-OUT extended permit icmp any any unreachable

access-list ACL-IN extended permit ip any any

access-list INSIDE extended permit ip any any log

access-list OUTSIDE extended permit ip any any

access-list VPN-EQDZ_splitTunnelAcl standard permit host 10.1.1.100

access-list OUTSIDE_access_in extended permit ip any host 201.X.X.X

access-list INSIDE_access_in extended permit ip object KIKELAP any

access-list INSIDE_access_in extended permit ip object CUCM_SFYA any

access-list INSIDE_access_in extended permit ip object EX60CETIC any

access-list INSIDE_access_in extended permit ip object COBAED-SERVER any

access-list outside_in extended permit tcp any host 209.X.X.X

access-list OUTSIDE_cryptomap_1 extended permit ip object-group REDES-MONITOREO object-group Monitor-XPG-MTY

access-list 150 extended permit ip host 201.X.X.X host 189.X.X.X log

Gabriel Hill · ‎02-13-2013

Hmm, interesting.

You could try adding the following for a test: access-group INSIDE in interface INSIDE

But I am a little doubtful because the following shows the input as: INSIDE and output as INSIDE.

Do me a favor and post your "show route" on here.

---------------------------------------------------------------------------

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: INSIDE

input-status: up

input-line-status: up

output-interface: INSIDE

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

---------------------------------------------------------------------------

Magdiel Irad Sanchez Reyna · ‎02-13-2013

# sh route | inc 192.168.2.0

S 192.168.240.0 255.255.255.0 [1/0] via 10.10.0.1, INSIDE

S 192.168.240.100 255.255.255.255 [1/0] via 201.x.x.x, OUTSIDE

S 192.168.240.102 255.255.255.255 [1/0] via 201.x.x.x, OUTSIDE

D 192.168.250.0 255.255.255.0 [90/3584] via 10.10.0.1, 272:56:17, INSIDE

D 192.168.220.0 255.255.255.0

S 192.168.2.0 255.255.255.0 [1/0] via 10.10.0.1, INSIDE

# sh route | inc 192.168.11.0

S 192.168.11.0 255.255.255.0 [1/0] via 10.10.0.1, INSIDE

# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 201.x.x.x to network 0.0.0.0

D EX 201.X.X.X 255.255.255.252

[170/2817280] via 10.10.0.1, 3:07:47, INSIDE

S 192.168.240.0 255.255.255.0 [1/0] via 10.10.0.1, INSIDE

S 192.168.240.100 255.255.255.255 [1/0] via 201.140.121.81, OUTSIDE

S 192.168.240.101 255.255.255.255 [1/0] via 201.140.121.81, OUTSIDE

S 192.168.240.102 255.255.255.255 [1/0] via 201.140.121.81, OUTSIDE

D 192.168.42.0 255.255.255.0 [90/3328] via 10.10.0.1, 285:46:56, INSIDE

D EX 201.112.186.224 255.255.255.252

[170/2817280] via 10.10.0.1, 24:05:54, INSIDE

S 140.85.59.45 255.255.255.255 [1/0] via 10.10.0.1, INSIDE

S 141.146.240.213 255.255.255.255 [1/0] via 10.10.0.1, INSIDE

D EX 141.146.242.6 255.255.255.255 [170/3584] via 10.10.0.1, 260:00:38, INSIDE

D 192.168.111.0 255.255.255.0 [90/3584] via 10.10.0.1, 285:46:56, INSIDE

D EX 201.112.187.32 255.255.255.252

[170/2817280] via 10.10.0.1, 3:28:22, INSIDE

D 192.168.246.0 255.255.255.0 [90/3584] via 10.10.0.1, 273:10:39, INSIDE

D EX 189.255.128.132 255.255.255.252

[170/2817280] via 10.10.0.1, 24:05:54, INSIDE

D EX 189.254.27.32 255.255.255.240

[170/2817280] via 10.10.0.1, 24:05:54, INSIDE

D EX 189.254.233.96 255.255.255.240

[170/2817280] via 10.10.0.1, 24:05:54, INSIDE

D EX 172.16.239.19 255.255.255.255

[170/2817280] via 10.10.0.1, 24:05:54, INSIDE

D EX 172.16.239.18 255.255.255.255

[170/2817280] via 10.10.0.1, 5:27:33, INSIDE

D EX 172.16.239.17 255.255.255.255

[170/2817280] via 10.10.0.1, 24:05:55, INSIDE

D EX 172.16.239.16 255.255.255.255

[170/2817280] via 10.10.0.1, 24:05:55, INSIDE

D EX 172.16.239.23 255.255.255.255

[170/2817280] via 10.10.0.1, 24:05:55, INSIDE

D EX 172.16.239.22 255.255.255.255

[170/2817280] via 10.10.0.1, 24:05:55, INSIDE

D EX 172.16.239.21 255.255.255.255

[170/2817280] via 10.10.0.1, 24:05:55, INSIDE

D EX 172.16.239.20 255.255.255.255

[170/2817280] via 10.10.0.1, 24:05:55, INSIDE

D EX 172.16.239.27 255.255.255.255

[170/2817280] via 10.10.0.1, 3:28:00, INSIDE

D EX 172.16.239.26 255.255.255.255

[170/2817280] via 10.10.0.1, 24:05:55, INSIDE

D EX 172.16.239.25 255.255.255.255

[170/2817280] via 10.10.0.1, 24:05:55, INSIDE

D EX 172.16.239.31 255.255.255.255

[170/2817280] via 10.10.0.1, 24:05:55, INSIDE

D EX 172.16.239.30 255.255.255.255

[170/2817280] via 10.10.0.1, 3:58:04, INSIDE

....

And the list continues far away..

Gabriel Hill · ‎02-13-2013

Looks like your issue is that you have the route to 192.168.2.X pointing INSIDE on your 5540, when it should be pointing to your OUTSIDE interface, or just letting the default route take care of it.

Remove the static for 192.168.2.0 on the 5540:

no route INSIDE 192.168.2.0 255.255.255.0 10.10.0.1 1

Then see if two-way communication is happening. Try: packet-tracer input INSIDE icmp 10.10.0.1 1 1 192.168.2.1

again. If all checks out, see if you have two-way communication through the VPN.

Magdiel Irad Sanchez Reyna · ‎02-14-2013

Thanks for your advice Gabriel,

after i deleted some inside routes and made 2 access-list like this:

access-list 150 extended permit ip host 189.x.x.x host 201.x.x.x log

and viceversa,also cleared the crypto ipsec and isakmp sa´s ... Everything started to have bidirectional traffic.

Keep in touch!

# sh vpn-sessiondb de l2l

Session Type: LAN-to-LAN Detailed

Connection : 189.x.x.x

Index : 283 IP Addr : 189.x.x.x

Protocol : IKEv1 IPsec

Encryption : 3DES 3DES 3DES 3DES 3DES 3DES 3DES

Hashing : SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1

Bytes Tx : 3382956 Bytes Rx : 611086

Login Time : 13:39:36 CST Thu Feb 14 2013

Duration : 0h:09m:43s

IKEv1 Tunnels: 1

IPsec Tunnels: 6

IKEv1:

Tunnel ID : 283.1

UDP Src Port : 500 UDP Dst Port : 500

IKE Neg Mode : Main Auth Mode : preSharedKeys

Encryption : 3DES Hashing : SHA1

Rekey Int (T): 86400 Seconds Rekey Left(T): 85817 Seconds

D/H Group : 2

Filter Name :

IPv6 Filter :

IPsec:

Tunnel ID : 283.2

Local Addr : 10.6.0.0/255.255.0.0/0/0

Remote Addr : 192.168.2.0/255.255.255.0/0/0

Encryption : 3DES Hashing : SHA1

Encapsulation: Tunnel PFS Group : 2

Rekey Int (T): 28800 Seconds Rekey Left(T): 28217 Seconds

Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607975 K-Bytes

Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes

Bytes Tx : 16067 Bytes Rx : 25882

Pkts Tx : 152 Pkts Rx : 479

IPsec:

Tunnel ID : 283.3

Local Addr : 10.90.0.0/255.255.0.0/0/0

Remote Addr : 192.168.2.0/255.255.255.0/0/0

Encryption : 3DES Hashing : SHA1

Encapsulation: Tunnel PFS Group : 2

Rekey Int (T): 28800 Seconds Rekey Left(T): 28218 Seconds

Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4604723 K-Bytes

Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes

Bytes Tx : 3355837 Bytes Rx : 449631

Pkts Tx : 2768 Pkts Rx : 1954

IPsec:

Tunnel ID : 283.4

Local Addr : 10.5.0.0/255.255.0.0/0/0

Remote Addr : 192.168.2.0/255.255.255.0/0/0

Encryption : 3DES Hashing : SHA1

Encapsulation: Tunnel PFS Group : 2

Rekey Int (T): 28800 Seconds Rekey Left(T): 28223 Seconds

Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607997 K-Bytes

Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes

Bytes Tx : 109 Bytes Rx : 3074

Pkts Tx : 1 Pkts Rx : 29

IPsec:

Tunnel ID : 283.5

Local Addr : 10.9.0.0/255.255.0.0/0/0

Remote Addr : 192.168.2.0/255.255.255.0/0/0

Encryption : 3DES Hashing : SHA1

Encapsulation: Tunnel PFS Group : 2

Rekey Int (T): 28800 Seconds Rekey Left(T): 28253 Seconds

Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4608000 K-Bytes

Idle Time Out: 30 Minutes Idle TO Left : 21 Minutes

Bytes Tx : 320 Bytes Rx : 0

Pkts Tx : 4 Pkts Rx : 0

IPsec:

Tunnel ID : 283.6

Local Addr : 10.10.0.0/255.255.255.0/0/0

Remote Addr : 192.168.11.0/255.255.255.0/0/0

Encryption : 3DES Hashing : SHA1

Encapsulation: Tunnel PFS Group : 2

Rekey Int (T): 28800 Seconds Rekey Left(T): 28266 Seconds

Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607879 K-Bytes

Idle Time Out: 30 Minutes Idle TO Left : 27 Minutes

Bytes Tx : 20291 Bytes Rx : 124484

Pkts Tx : 171 Pkts Rx : 225

IPsec:

Tunnel ID : 283.7

Local Addr : 10.10.0.0/255.255.255.0/0/0

Remote Addr : 192.168.2.0/255.255.255.0/0/0

Encryption : 3DES Hashing : SHA1

Encapsulation: Tunnel PFS Group : 2

Rekey Int (T): 28800 Seconds Rekey Left(T): 28401 Seconds

Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607984 K-Bytes

Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes

Bytes Tx : 17295 Bytes Rx : 10805

Pkts Tx : 122 Pkts Rx : 135

NAC:

Reval Int (T): 0 Seconds Reval Left(T): 0 Seconds

SQ Int (T) : 0 Seconds EoU Age(T) : 584 Seconds

Hold Left (T): 0 Seconds Posture Token:

Redirect URL :

___________________________________________________________

# packet-tracer input INSIDE icmp 10.10.0.1 1 1 192.168.2.1

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 OUTSIDE

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE in interface INSIDE

access-list INSIDE extended permit ip any any log

Additional Information:

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (INSIDE,OUTSIDE) source static REDES-MONITOREO REDES-MONITOREO destination static Monitor-XPG-MTY Monitor-XPG-MTY no-proxy-arp route-lookup

Additional Information:

Static translate 10.10.0.1/0 to 10.10.0.1/0

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 12147, packet dispatched to next module

Result:

input-interface: INSIDE

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: allow