Re: S2S VPN is UP but couldn't reach either sides(to and from) of Interesting traffic

srikanth ath · ‎10-05-2020

Hello Friends,

I have this weird scenario where i couldnt reach either side (to and from) over S2S VPN(VPN is established Successfully). As when initiated traffic towards the other side(lets say SiteB), the IPSEC sa gets an hit count but couldnt get the response back. The issue persits even when SiteB initiates traffic towards SiteA.

Below is the output from SiteA, where i dont have access to show you the details of SiteB.

Thanks in advance, please need your expertise here.

Attached is the document for the VPN config at SiteA and below is the output from the router.

Let me know if you require anyother details

Router2#ping 10.254.168.10 source gi 0/0/0.150
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.254.168.10, timeout is 2 seconds:
Packet sent with a source address of 172.30.3.252
.....
Success rate is 0 percent (0/5)
Router2#

!
!
!
Router2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
5.5.5.5 1.1.1.1 QM_IDLE 1097 ACTIVE

IPv6 Crypto ISAKMP SA

Router2#sh crypto isakmp sa de
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1097 1.1.1.1 5.5.5.5 ACTIVE 3des sha psk 2 06:04:14 D
Engine-id:Conn-id = SW:97

IPv6 Crypto ISAKMP SA

Router2#

Router2#sh crypto ipsec sa peer 5.5.5.5

interface: GigabitEthernet0/0/1
Crypto map tag: CDKVPN, local addr 1.1.1.1

protected vrf: (none)
local ident (addr/mask/prot/port): (204.125.74.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.168.0/255.255.255.0/0/0)
current_peer 5.5.5.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 19906, #pkts decrypt: 19906, #pkts verify: 19906
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 5.5.5.5
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0xE18075A(236455770)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xDFA0D58E(3751859598)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5549, flow_id: ESG:3549, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/1098)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xE18075A(236455770)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5550, flow_id: ESG:3550, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/1098)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (206.92.10.32/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (10.254.168.0/255.255.255.0/0/0)
current_peer 5.5.5.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 321, #pkts encrypt: 321, #pkts digest: 321
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 5.5.5.5
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0xA8583F9D(2824355741)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xBF129BAC(3205667756)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5551, flow_id: ESG:3551, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/1324)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xA8583F9D(2824355741)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5552, flow_id: ESG:3552, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/1324)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (172.30.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.254.168.0/255.255.255.0/0/0)
current_peer 5.5.5.5 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 105, #pkts encrypt: 105, #pkts digest: 105
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 5.5.5.5
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0xABD84CCF(2883079375)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x544F2FD5(1414475733)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5547, flow_id: ESG:3547, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/924)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xABD84CCF(2883079375)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 5548, flow_id: ESG:3548, sibling_flags FFFFFFFF80000048, crypto map: CDKVPN
sa timing: remaining key lifetime (k/sec): (4608000/924)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:
Router2#