12-02-2009 08:38 PM
I have an IOS router (12.4) that I am adding a VPN tunnel to. There are other active tunnels on this router (both ezvpn, site-to-site and GRE). Everything appears to be working on both sides regarding phase 1/phase 2 negotiation, but packets that are being send from the PIX to the IOS router, while being encrypted and encapsulated do not appear to be being decrypted on the IOS end.
I have spent many, many hours on trying to diagnose this and I am struggling - would appreciate any help.
Show crypto isakmp sa on the IOS shows (IPs changed for security):
1.1.1.1 2.2.2.2 QM_IDLE 4 0 ACTIVE
Show crypto ipsec sa on the IOS shows (IPs changed for security):
local ident (addr/mask/prot/port): (10.13.39.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.50.0/255.255.255.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 408, #pkts encrypt: 408, #pkts digest: 408
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 108, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xBC3A7FC9(3157950409)
inbound esp sas:
spi: 0x2DF17FA(48175098)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3003, flow_id: FPGA:3, crypto map: CustVPN
sa timing: remaining key lifetime (k/sec): (4553489/2310)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBC3A7FC9(3157950409)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3004, flow_id: FPGA:4, crypto map: CustVPN
sa timing: remaining key lifetime (k/sec): (4553463/2310)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
I am focusing in on the decapsulation/decryption and on why it is not happening. Everything appears to be working on the PIX end.
show crypto isakmp sa on the PIX shows (IPs changed for security):
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
show crypto ipsec sa on the PIX shows (IPs changed for security):
Crypto map tag: outside_map, seq num: 120, local addr: 2.2.2.2
access-list outside_cryptomap_120 permit ip 172.16.50.0 255.255.255.0 10.13.39.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.50.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.13.39.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 1030, #pkts encrypt: 1030, #pkts digest: 1030
#pkts decaps: 322, #pkts decrypt: 322, #pkts verify: 322
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1030, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 02DF17FA
inbound esp sas:
spi: 0xBC3A7FC9 (3157950409)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 36, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274981/1824)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x02DF17FA (48175098)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 36, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274939/1824)
IV size: 8 bytes
replay detection support: Y
Everything seems ok to me but the IOS is not decrypting. The other tunnels on the system are working fine. Debugs do not show any errors.
12-04-2009 07:52 AM
Ended up putting an encrypted GRE tunnel in place with an IOS <--> IOS VPN. Ended up with the same problem. Was something on the ASA end that was dropping packets sent to the IOS.
01-12-2010 09:30 PM
What version of IOS is on the VPN router.. I had a very similar issue
I have 2 vpn routers with slightly different revs of the IOS one will terminate a tunnel to 7.2 and pass traffic without any issue the other will terminate the tunnel but refuse to pass traffic.
Configurations are identical minus the ip addresses of course.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide