Hi Guy's.

I have two ASA 5510's that have been running a site to site for some time. Yesterday around 11:00am this suddenly stopped work. The tunnel is up and operational but i'm unable to ping any devices on with end.

1: Phase 1 IKE negotiation is up on both ASA’s and completing – Tunnel Established

2: Phase 2 seems to be running into some problems. When looking into each appliance we see that both ends are encrypting packets but not decrypting.

• I have checked both side’s ACL’s are matched ( These haven’t been changed )
• NAT rules on both ends are correct and again haven’t been changed
• Slough end points have the correct static routes to route traffic back across the VPN ( Again, these haven’t changed

From digging around online it could be that our ISP is blocking / filtering IP ESP 50 which seems to be a common occurrence. This is critical for traffic pass through for IPSEC. I’ve performed an nmap on those ports which suggest they’re open but I’ve asked our DCto check that there isn’t any filtering going on.

 NMAP:

nmap -sO -v -P0 -p 50-51 x.x.x.x ( Remote appliance at DC )

Starting Nmap 5.51 ( http://nmap.org ) at 2014-11-19 09:27 GMT

Initiating Parallel DNS resolution of 1 host. at 09:27

Completed Parallel DNS resolution of 1 host. at 09:27, 0.00s elapsed

Initiating IPProto Scan at 09:27

Scanning x.x.x.x [2 ports]

Completed IPProto Scan at 09:27, 3.02s elapsed (2 total ports)

Nmap scan report for x.x.x.x

Host is up.

PROTOCOL STATE         SERVICE

50       open|filtered esp

51       open|filtered ah

Read data files from: /usr/share/nmap

Nmap done: 1 IP address (1 host up) scanned in 3.04 seconds

           Raw packets sent: 4 (80B) | Rcvd: 0 (0B)

Show ipsec sa peer – run on Office Appliance

Crypto map tag: External_map, seq num: 2, local addr: x.x.x.x

      access-list External_2_cryptomap extended permit ip 172.16.102.0 255.255.255.0 10.193.0.0 255.255.254.0

      local ident (addr/mask/prot/port): (172.16.102.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (Management/255.255.254.0/0/0)

      current_peer: x.x.x.x

      #pkts encaps: 422, #pkts encrypt: 422, #pkts digest: 422

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 422, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

Show ipsec sa peer  – Run on Remote DC Appliance

Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x

      access-list outside_1_cryptomap permit ip VMNetwork 255.255.0.0 InternalServersVlan102-network 255.255.255.0

      local ident (addr/mask/prot/port): (VMNetwork/255.255.0.0/0/0)

      remote ident (addr/mask/prot/port): (InternalServersVlan102-network/255.255.255.0/0/0)

      current_peer: x.x.x.x

      #pkts encaps: 101, #pkts encrypt: 101, #pkts digest: 101

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 101, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

Should i be talking to my ISP about block / filtering ESP 50? It's seems really odd that this all of a sudden stop working and we have made no changes to any of our configs on either end. Also, i have reloaded both appliances and tried many reconnects of the tunnel.