09-23-2017 09:53 AM - edited 03-12-2019 04:33 AM
I have a IPSEC tunnel between site A “4331 router” and site B “C800 router”. And a Win10 machine are connected to LAN site on both behind both router. Ping from site A to machine behind router B brings the tunnel up and debug for isakmp and ipsec shows that both phase 1 and 2 completed, and ipsec #pkts encaps: and #pkts decaps: counter increases in site A router but only #pkts decaps: increases on site B router. No end to end connectivity. What is wrong? Please help. and tanks in advance.
/SF
Solved! Go to Solution.
09-26-2017 09:50 AM
09-26-2017 12:16 PM
09-23-2017 12:14 PM
09-23-2017 12:40 PM
Hi
No. there is no filter, but here is c800 config:
crypto keyring ATEA-AU
pre-shared-key address 185.x.x.x key ******
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp profile ATEA-AU
keyring ATEA-AU
match identity address 185.x.x.x 255.255.255.255
no keepalive
!
!
crypto ipsec transform-set ATEA-AU esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile ATEA-AU
set transform-set ATEA-AU
set isakmp-profile ATEA-AU
!
!
!
crypto map S2S 5 ipsec-isakmp
set peer 185.x.x.x
set transform-set ATEA-AU
set isakmp-profile ATEA-AU
match address ATEA-TO-AU-FOR-SCCM
!
!
!
!
!
!
interface Loopback0
no ip address
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
switchport access vlan 2
no ip address
spanning-tree portfast
!
!
!
interface GigabitEthernet8
ip address 37.x.x.x 255.255.255.224
duplex auto
speed auto
crypto map S2S
!
interface GigabitEthernet9
no ip address
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 10.68.2.1 255.255.255.0
!
ip default-gateway 37.x.x.x
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 37.x.x.x
ip route 10.88.0.0 255.255.0.0 GigabitEthernet8
ip route 10.245.0.0 255.255.0.0 GigabitEthernet8
ip ssh version 2
!
ip access-list extended ATEA-TO-AU-FOR-SCCM
permit ip 10.68.2.0 0.0.0.255 10.245.0.0 0.0.255.255
!
09-23-2017 04:21 PM
SF
It appears that you are experiencing one way traffic. I have seen several things that might cause this symptom. One potential cause is an issue with NAT. I do not see any NAT in the partial config that you posted. Is it that there is no NAT or is there NAT but you excluded it from the posted config?
I wonder about this static route
ip route 10.245.0.0 255.255.0.0 GigabitEthernet8
It seems to be redundant with the configured static default route. Is there a reason why this static route is in the config? A static route specifying only the outbound interface can be problematic when that outbound interface is Ethernet. Could you remove this static route and let us know if the behavior changes?
HTH
Rick
09-23-2017 11:37 PM
Hi
There is no NAT, I assumed when there is no NAT at all than i do not need NAT0 either. Is that correct? Please can you show how to configure NAT0 regarding my config if it is required, I have no experience with ipsec and router.
09-24-2017 01:06 AM
09-24-2017 02:34 AM
09-25-2017 10:56 AM
nat0 was used in pretty old versions of ASA but is not used in IOS routers. You are correct, especially with IOS routers, that if there is no NAT activity desired then you do not need to configure anything about NAT. So that aspect of your config appears to be correct.
Can you do a show on the IPsec sa on the 800 router? Also can you go to one of the hosts connected to the 800 router and do a traceroute to a host in the LAN of the other peer?
HTH
Rick
09-25-2017 11:42 AM
Traceroute shows on the behinde c800 shows that packets is going to its gateway which is c800 router lan interface and sh crypto ipsec sa on the c800 shows that no ecap or decap pkts are increasing at all and no isakmp sa is comming up.
09-25-2017 01:34 PM
I have seen situations where issues with NAT would produce the symptom of one way traffic. But we seem to have established that NAT is not an issue in this case.
I have seen situations where routing issues would produce the symptom of one way traffic. But we seem to have established that routing is working as expected.
I have seen situations where a mismatch in negotiating the security association would produce the symptom of one way traffic. That is why I asked for the output of show crypto ipsec sa. I still hope that if you post that output that it might give us some insight into the issue.
Perhaps posting a new copy of the current config from the 800 router might give us something helpful.
HTH
Rick
09-26-2017 03:38 AM
Hi
Here is the config and output of show crypto ipsec sa in C800:
Atea_AU_DPatTDSE#sh cryp isak sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
Atea_AU_DPatTDSE#sh cryp ipsec sa
interface: GigabitEthernet8
Crypto map tag: S2S, local addr 3.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (10.68.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.88.0.0/255.255.0.0/0/0)
current_peer 185.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 3.x.x.x, remote crypto endpt.: 185..x.x.x
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet8
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.68.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.245.0.0/255.255.0.0/0/0)
current_peer 185.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
-------------------
!
enable secret 5 $1$OkJr$lHuFcDj5VXSdZZeK7ca2v/
!
no aaa new-model
!
ip domain name TD-DP.com
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
cts logging verbose
license udi pid C892FSP-K9 sn FCZ194091T8
!
!
username admin secret 5 $1$7eXh$kGzS7Lwd4pQrHafookLM50
!
!
crypto keyring ATEA-AU
pre-shared-key address 185.x.x.x key ********
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp profile ATEA-AU
keyring ATEA-AU
match identity address 185.x.x.x 255.255.255.255
no keepalive
!
!
crypto ipsec transform-set ATEA-AU esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile ATEA-AU
set transform-set ATEA-AU
set isakmp-profile ATEA-AU
!
!
!
crypto map S2S 5 ipsec-isakmp
set peer 185.185.x.x.x
set transform-set ATEA-AU
set isakmp-profile ATEA-AU
match address ATEA-TO-AU-FOR-SCCM
!
!
interface Loopback0
no ip address
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
switchport access vlan 2
no ip address
spanning-tree portfast
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address 3.x.x.x 255.255.255.224
duplex auto
speed auto
crypto map S2S
!
interface GigabitEthernet9
no ip address
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 10.68.2.1 255.255.255.0
!
ip default-gateway 37.x.x.x
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 3.x.x.x
ip route 10.88.0.0 255.255.0.0 GigabitEthernet8
ip route 10.245.0.0 255.255.0.0 GigabitEthernet8
ip ssh version 2
!
ip access-list extended ATEA-TO-AU-FOR-SCCM
deny ip 10.68.2.0 0.0.0.255 host 10.68.2.1
permit ip 10.68.2.0 0.0.0.255 10.88.0.0 0.0.255.255
permit ip 10.68.2.0 0.0.0.255 10.245.0.0 0.0.255.255
!
control-plane
!
!
mgcp profile default
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
line vty 5 189
login local
transport input ssh
09-26-2017 09:50 AM
09-26-2017 12:11 PM
Hi Meheretab
Tanks a lot, that was it. After I removed those ip route I got end to end connectivity.
09-26-2017 12:16 PM
09-27-2017 07:21 AM
Thanks for letting us know that your issue is now solved. I had commented that one thing that could cause the symptom of onw way connectivity was an issue wth routing. It is interesting to have confirmation that this issue was indeed caused by a routing issue. And it confirms the point that sometimes a static route which uses only the outbound interface (when that interface is Ethernet) can be problematic.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide