10-23-2017 06:52 AM - edited 03-12-2019 04:39 AM
Hi All,
I recently experienced an issue with a site-to-site VPN. The issue has now been resolved but i noticed a behaviour that I thought was strange during the troubleshooting which I felt may have reduced the troubleshooting time if it was otherwise and wanted to at least try and get some clarification. Here it goes:
I set up a S2S VPN from a different vendor device (call this Site1) to a Cisco ASA at a remote site (say Site 2). Phase 1 was complete and fine. Phase 2 was also mostly fine. The only issue was I noticed 'encaps' counters going up at both ends, but no 'decaps'. Now, looking at the logs on the ASA, i could see traffic from site 1 coming in to the ASA at site 2 with a lot of the traffic being SYN timeouts. With SYN timeouts, i thought the traffic was getting to site 2 and the return traffic was probably going out a different way (which ended up being the case - and was then resolved).
Now, my confusion is, if the ASA at site 2 was receiving this traffic and correctly identifying SYN and SYN timeouts, should that not mean it has successfully decrypted the traffic to identify the nature of the traffic (in this case, SYN and SYN timeouts)? Why then would the decaps remain 0?
Any thoughts please?
10-23-2017 07:15 AM
Hello @martino-cisco
Most of time I have found this problem it was due incorrect configuration NAT statements and ACL mismatching.
-If I helped you somehow, please, rate it as useful.-
10-23-2017 08:43 AM
Thanks Silvio. As mentioned, it was eventually due to a routing issue on a downstream device. I'm really just trying to understand why the ASA was seeing the traffic but was still not incrementing decaps
10-23-2017 08:26 AM
10-23-2017 08:49 AM
Hmmm...You raise a good point. However, i noted that it was seeing the traffic source as the Outside interface, which is what you would expect over the VPN. On whether it may have been routed out to the internet and back...I don't know for sure but would consider it unlikely as the source of the traffic in the logs was the same private IP I was expecting, and not a public IP. Plus, in that scenario, i would anticipate seeing logs that could indicate something along asymmetric routing rather than SYN timeouts.
I understand it may be difficult to correctly analyse especially as the issue is no longer there. Was just wondering if this is an expected behaviour. Perhaps, decaps counters only increase after a fully established session and traffic flow between both ends??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide