cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
286
Views
0
Helpful
3
Replies
Highlighted
Beginner

Site to Site between two ASA devices only works for one subnets pair.

Hi, I am having a weird issue where I cannot add more networks to encryption domain in the site to site because, because then it only works for one. 

 

My current scenario:

 

Site A - Encryption domain: 192.168.1.0/24

Site B - Encryption domain: 192.168.2.0/24

 

Then if I add a new network in the Site A encryption Domain (for example, 10.10.10.0/24)., it does not work and it only works for the first network (I have also added the new network in the remote encryption domain in Site B).

 

when I run a show crypto ipsec sa in Site A, I can see how I encrypt and decrypt packets for the new network but in Site B, I just can see encrypted packets but not decrypted.

 

I know that it looks like a routing or nat issue but it is not the caso. Take in mind that if I remove network 192.168.1.0/24 from Site A and just add the new network 10.10.10.0/24, it works correctly. 

 

is there something which could explain this weird behavior? Thanks!

3 REPLIES 3
Highlighted
VIP Mentor

Hi,

Perhaps a NAT issue, do you have a NAT exemption rule for this new network?

Please provide your NAT, crypto ACL configuration and the output of “show crypto ipsec  sa”

 

HTH

Highlighted

Hi Rob, 

 

Thanks for answer. Take in mind that the new added network in encryption domain works if I remove the old one, so I do not really think it is something related to nat. It looks like a bug for me but it worked properly before after the device getting restarted. Please check this output:

 

SiteB# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 192.168.50.1

access-list outside_cryptomap extended permit ip host 10.50.96.19 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.50.96.19/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 80.80.80.1


#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.50.1/4500, remote crypto endpt.: 80.80.80.1/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 5DA123AB
current inbound spi : 21737402

inbound esp sas:
spi: 0x21737402 (561214466)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28281)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x5DA123AB (1570841515)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/28280)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: outside_map, seq num: 1, local addr: 192.168.50.1

access-list outside_cryptomap extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 80.80.80.1


#pkts encaps: 265, #pkts encrypt: 265, #pkts digest: 265
#pkts decaps: 259, #pkts decrypt: 259, #pkts verify: 259
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 265, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.50.1/4500, remote crypto endpt.: 80.80.80.1/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: BA03253C
current inbound spi : 5A5D4624

inbound esp sas:
spi: 0x5A5D4624 (1516062244)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914984/28244)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xBA03253C (3120768316)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914984/28244)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

 

 

As you can see, there is 0 packets decrypted between 10.50.96.19 - 192.168.10.0/24.

Then you can see how traffic is working properly between 192.168.11.0/24 - 192.168.10.0/24.

Then if I remove the subnet 192.168.11.0/24 from encryption domain, then the traffic between 10.50.96.19 - 192.168.10.0/24 starts working properly and I can see encrypted and decrypted packets.

Then if I add again the 192.168.11.0/24, the traffic between 192.168.11.0/24 - 192.168.10.0/24 does not work (except if I remove the subnet 10.50.96.19.

 

Take in mind that this happens for any new network added and I have tried with different ones which are not being used. Any idea about what could be causing this issue? Thanks!

 

Highlighted

Ok, sounds strange.
Can you provide the output of "show crypto ipsec sa" from the other peer device?
Can you run packet-tracer from the CLI to simulate traffic and provide the output please