#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

Omar Badawi · ‎01-18-2011

hello,

the tunnel between Riyadh and Geneve was up and working, then the servers in Riyadh couldn't reach the servers in Geneve, and i have noticed that on Riyadh router, the #pckts encaps is 0, so it's not encrypting? anyway, the access list is hitting, i don't know where the problem is, i don't know if there is a problem with the VPN the first place.

please check the attached files.

Jennifer Halim · ‎01-18-2011

OK, so at Riyadh, it's decrypting it, but there is no encrypt, and at Geneva, it's encrypting it, but there is no decrypt.

That means traffic is flowing from Geneva towards Riyadh, however, Riyadh does not reply.

Is 10.10.5.0/24 subnet supposed to be routed out via GigabitEthernet0/1 (your LAN interface) where the crypto map is actually applied?

If it is, does the next hop (212.102.11.202) router have route towards Geneva LAN (10.10.11.0/24) to be routed back towards your Riyadh route where you terminate the VPN (212.102.11.201)?

Federico Coto Fajardo · ‎01-18-2011

Hi Omar,

The problem most likely is on the riyadh side (since it's not encrypting).

I notice the crypto map applied to the LAN interface (not the WAN interface). Why is that?

Federico.

Omar Badawi · ‎01-18-2011

thank you guys for replying.

the VPN tunnel is terminated on the LAN interface, which is the inside of the network, it has a public IP address and it's connected to Cisco ASA with a public IP address of 212.102.11.202

10.10.5.0/24 is the subnet inisde of the ASA.

same setup is in Geneva.

howver, my problem was that the configuration of WAN interface on Riyadh router is provided by the ISP with an IP address of 172.x.x.x (connected to the IPVPN cloud) and i had to use the public IP address on the inside LAN interface so i terminated the tunnel there.

the thing is that it was working fine before.

Jennifer Halim · ‎01-18-2011

Pls share your Riyadh ASA configuration, there might be some configuration that is missing.