Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
0
Helpful
4
Replies

Site 2 Site driving me crazy

sahara101
Level 1
Level 1

‎02-13-2023 05:31 AM - edited ‎02-13-2023 05:52 AM

Hello,

 

I am trying to make a site2site connection on the same firewall between 2 contexts.

 

One context is not sending, so no tx.....

 

 

IKEv2 SAs:

Session-id:114325, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
1652825137    2xx.2xx.1xx.2x/500   2xx.2xx.2xx.1xx/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/1259 sec
Child sa: local selector  10.1.123.0/0 - 10.1.123.255/65535
          remote selector 10.10.20.10/0 - 10.10.20.10/65535
          ESP spi in/out: 0x36d99ac4/0x5c067522

Crypto map tag: outside_map3, seq num: 16, local addr: 2xx.2xx.1xx.2x


      access-list outside_cryptomap_16 extended permit ip 10.1.123.0 255.255.255.0 host 10.10.20.10
      local ident (addr/mask/prot/port): (10.1.123.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.10.20.10/255.255.255.255/0/0)
      current_peer: 2xx.2xx.2xx.1xx



      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 4191, #pkts decrypt: 4191, #pkts verify: 4191
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0


      local crypto endpt.: 2xx.2xx.1xx.2x/500, remote crypto endpt.: 2xx.2xx.2xx.1xx/500
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 5C067522
      current inbound spi : 36D99AC4


    inbound esp sas:
      spi: 0x36D99AC4 (920230596)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 2469888, crypto-map: outside_map3
         sa timing: remaining key lifetime (kB/sec): (3916554/28634)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x5C067522 (1543927074)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 2469888, crypto-map: outside_map3
         sa timing: remaining key lifetime (kB/sec): (4331520/28634)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
nat (insideServer,outside) source static ServerNetz ServerNetz destination static NOC NOC no-proxy-arp route-lookup

access-list outside_cryptomap_16 extended permit ip object ServerNetz object NOC

crypto map outside_map3 16 match address outside_cryptomap_16
crypto map outside_map3 16 set peer 2xx.2xx.2xx.1xx
crypto map outside_map3 16 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 16 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256

tunnel-group 2xx.2xx.2xx.1xx type ipsec-l2l
tunnel-group 2xx.2xx.2xx.1xx general-attributes
 default-group-policy GroupPolicy_2xx.2xx.2xx.1xx
 tunnel-group 2xx.2xx.2xx.1xx ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****



 IKEv2-PROTO-5: (12610): Request has mess_id 248; expected 248 through 248

(12610):
IKEv2-PROTO-2: (12610): Received Packet [From 2xx.2xx.2xx.1xx:500/To 2xx.2xx.1xx.2x:500/VRF i0:f0]
(12610): Initiator SPI : 5F49DF85F1779DEA - Responder SPI : 0BDCE41C4D59BBF5 Message id: 248
(12610): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-3: (12610): Next payload: ENCR, version: 2.0 (12610): Exchange type: INFORMATIONAL, flags: INITIATOR (12610): Message id: 248, length: 76(12610):
Payload contents:
(12610): REAL Decrypted packet:(12610): Data: 0 bytes
(12610):
(12610): Decrypted packet:(12610): Data: 76 bytes
IKEv2-PROTO-5: (12610): SM Trace-> SA: I_SPI=5F49DF85F1779DEA R_SPI=0BDCE41C4D59BBF5 (R) MsgID = 000000F8 CurState: READY Event: EV_RECV_INFO_REQ
IKEv2-PROTO-5: (12610): Action: Action_Null
IKEv2-PROTO-5: (12610): SM Trace-> SA: I_SPI=5F49DF85F1779DEA R_SPI=0BDCE41C4D59BBF5 (R) MsgID = 000000F8 CurState: INFO_R Event: EV_RECV_INFO_REQ
IKEv2-PROTO-2: (12610): Received DPD/liveness query
IKEv2-PROTO-2: (12610): Building packet for encryption.
IKEv2-PROTO-2: (12610): Sending ACK to informational exchange
(12610):
IKEv2-PROTO-2: (12610): Sending Packet [To 2xx.2xx.2xx.1xx:500/From 2xx.2xx.1xx.2x:500/VRF i0:f0]
(12610): Initiator SPI : 5F49DF85F1779DEA - Responder SPI : 0BDCE41C4D59BBF5 Message id: 248
(12610): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-3: (12610): Next payload: ENCR, version: 2.0 (12610): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (12610): Message id: 248, length: 76(12610):
Payload contents:
(12610):  ENCR(12610):   Next payload: NONE, reserved: 0x0, length: 48
(12610): Encrypted data: 44 bytes
(12610):
IKEv2-PROTO-5: (12610): SM Trace-> SA: I_SPI=5F49DF85F1779DEA R_SPI=0BDCE41C4D59BBF5 (R) MsgID = 000000F8 CurState: INFO_R Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-5: (12610): SM Trace-> SA: I_SPI=5F49DF85F1779DEA R_SPI=0BDCE41C4D59BBF5 (R) MsgID = 000000F8 CurState: INFO_R Event: EV_START_DEL_NEG_TMR
IKEv2-PROTO-5: (12610): Action: Action_Null
IKEv2-PROTO-5: (12610): SM Trace-> SA: I_SPI=5F49DF85F1779DEA R_SPI=0BDCE41C4D59BBF5 (R) MsgID = 000000F8 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-5: (12610): Sent response with message id 248, Requests can be accepted from range 249 to 249
IKEv2-PROTO-5: (12610): SM Trace-> SA: I_SPI=5F49DF85F1779DEA R_SPI=0BDCE41C4D59BBF5 (R) MsgID = 000000F8 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (12610): SM Trace-> SA: I_SPI=5F49DF85F1779DEA R_SPI=0BDCE41C4D59BBF5 (R) MsgID = 000000F7 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-5: (12610): Deleting negotiation context for peer message ID: 0xf7

 

 

 

Debug cryptop ipsec sa shoes nothing at all....

 

Thanks!

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎02-13-2023 05:37 AM

@sahara101 as there are decaps, but no encaps - the issue could be related to NAT or routing.

Run packet-tracer twice to simulate traffic over the VPN and provide the output for review.

0 Helpful

sahara101
Level 1
Level 1

‎02-13-2023 05:51 AM

From 10.1.123.99 as source

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffdcbe58f50, priority=1, domain=permit, deny=false
        hits=83749299, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=insideServer, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 2xx.2xx.1xx.x, outside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (insideServer,outside) source static NETWORK_OBJ_10.1.123.0_24 NETWORK_OBJ_10.1.123.0_24 destination static NOCPRTG NOCPRTG no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.10.20.10/80 to 10.10.20.10/80

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group insideHausNetz_access_in in interface insideServer
access-list insideHausNetz_access_in extended permit ip object ServerNetz object NOC
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffdcebd6430, priority=13, domain=permit, deny=false
        hits=2, user_data=0x7ffda0b87ac0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=10.1.123.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=10.10.20.10, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=insideServer, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (insideServer,outside) source static NETWORK_OBJ_10.1.123.0_24 NETWORK_OBJ_10.1.123.0_24 destination static NOC NOC no-proxy-arp route-lookup
Additional Information:
Static translate 10.1.123.99/80 to 10.1.123.99/80
 Forward Flow based lookup yields rule:
 in  id=0x7ffdcd860a60, priority=6, domain=nat, deny=false
        hits=2, user_data=0x7ffdb9d1e860, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.1.123.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=10.10.20.10, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=insideServer, output_ifc=outside

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffdc734f800, priority=0, domain=nat-per-session, deny=false
        hits=1304564, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffdcbe5f720, priority=0, domain=inspect-ip-options, deny=true
        hits=2832933, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=insideServer, output_ifc=any

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffdcbe573a0, priority=21, domain=lu, deny=true
        hits=14543, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0
        input_ifc=insideServer, output_ifc=any

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7ffdcd500090, priority=70, domain=encrypt, deny=false
        hits=2, user_data=0x876f84, cs_id=0x7ffdcd6d4ea0, reverse, flags=0x0, protocol=0
        src ip/id=10.1.123.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=10.10.20.10, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (insideServer,outside) source static NETWORK_OBJ_10.1.123.0_24 NETWORK_OBJ_10.1.123.0_24 destination static NOCPRTG NOCPRTG no-proxy-arp route-lookup
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7ffdcec7f950, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0x7ffdcd86b560, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=10.1.123.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=10.10.20.10, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=insideServer, output_ifc=outside

Phase: 11
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7ffdcd51bd20, priority=70, domain=ipsec-tunnel-flow, deny=false
        hits=2, user_data=0x106e994, cs_id=0x7ffdcd6d4ea0, reverse, flags=0x0, protocol=0
        src ip/id=10.10.20.10, mask=255.255.255.255, port=0, tag=0
        dst ip/id=10.1.123.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7ffdc734f800, priority=0, domain=nat-per-session, deny=false
        hits=1304566, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7ffdcbb9e2d0, priority=0, domain=inspect-ip-options, deny=true
        hits=4433437, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 12177524, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: insideServer
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

From 10.10.20.10 as source

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via 2xx.2xx.2xx.1xx, outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside120,outside) source static NOC NOC destination static NetzServer NetzServer no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.1.123.99/80 to 10.1.123.99/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside120_access_in_1 in interface inside120
access-list inside120_access_in_1 extended permit ip any any
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffdc489af20, priority=13, domain=permit, deny=false
        hits=17781, user_data=0x7ffda0a6df40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside120, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside120,outside) source static NOC NOC destination static NetzServer NetzServer no-proxy-arp route-lookup
Additional Information:
Static translate 10.10.20.10/80 to 10.10.20.10/80
 Forward Flow based lookup yields rule:
 in  id=0x7ffdbb755920, priority=6, domain=nat, deny=false
        hits=1313, user_data=0x7ffdcd4c07f0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=10.10.20.10, mask=255.255.255.255, port=0, tag=0
        dst ip/id=10.1.123.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
        input_ifc=inside120, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffdc8837f20, priority=0, domain=nat-per-session, deny=false
        hits=109306, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffdc36c8200, priority=0, domain=inspect-ip-options, deny=true
        hits=18085, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside120, output_ifc=any

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffdc36bf2e0, priority=21, domain=lu, deny=true
        hits=1182, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0
        input_ifc=inside120, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7ffdcd8c2a10, priority=70, domain=encrypt, deny=false
        hits=99, user_data=0xc401b4c, cs_id=0x7ffdcd8e03c0, reverse, flags=0x0, protocol=0
        src ip/id=10.10.20.10, mask=255.255.255.255, port=0, tag=0
        dst ip/id=10.1.123.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside120,outside) source static NOC NOC destination static NetzServer NetzServer no-proxy-arp route-lookup
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7ffdcec2e430, priority=6, domain=nat-reverse, deny=false
        hits=1190, user_data=0x7ffdcb626f50, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=10.10.20.10, mask=255.255.255.255, port=0, tag=0
        dst ip/id=10.1.123.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
        input_ifc=inside120, output_ifc=outside

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7ffdce0e7db0, priority=70, domain=ipsec-tunnel-flow, deny=false
        hits=50, user_data=0x1070cec, cs_id=0x7ffdcd8e03c0, reverse, flags=0x0, protocol=0
        src ip/id=10.1.123.0, mask=255.255.255.0, port=0, tag=0
        dst ip/id=10.10.20.10, mask=255.255.255.255, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7ffdc8837f20, priority=0, domain=nat-per-session, deny=false
        hits=109308, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7ffdc47f8030, priority=0, domain=inspect-ip-options, deny=true
        hits=116071, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 12185302, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside120
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
0 Helpful

MHM Cisco World
VIP
VIP

‎02-13-2023 06:19 AM

Site-To-Site VPN Configuration on the Multiple Context ASA 9.x Receives Error Message (cisco.com) 

check this link I think there issue with license in Multi Context and VPN.

0 Helpful

sahara101
Level 1
Level 1

‎02-13-2023 06:24 AM

But I do not see an error about license, also the tunnel comes up..

0 Helpful
Customers Also Viewed These Support Documents