Hi,

Thanks for your reply. If there is something to block ESP traffic why it's all good when another site was initiator?

There is no need to capture right now as it's all good and the moment and it's a production network. Next time we have issues I will capture the traffic.

Please see my config..

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set LONSET esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set LIPP esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map0 3 match address outside_cryptomap_1

crypto map outside_map0 3 set peer X.X.X.X

crypto map outside_map0 3 set ikev1 transform-set LIPP LONSET ESP-3DES-MD5 ESP-3DES-SHA ESP-AES-256-MD5 ESP-AES-256-SHA

crypto map outside_map0 3 set security-association lifetime seconds 86400

crypto map outside_map0 3 set security-association lifetime kilobytes 460800000

crypto map outside_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map0 interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 2

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 3

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

object network For_ipsec3

subnet 192.1.1.0 255.255.255.0

access-list outside_cryptomap_1 extended permit ip object inside_network object For_ipsec3

object network inside_network

subnet 10.100.3.0 255.255.255.0

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X general-attributes

default-group-policy GroupPolicy1

tunnel-group X.X.X.X ipsec-attributes

ikev1 pre-shared-key *****

Hi,

As mentioned by Jeet, those commands will help you determine whether your device is sending the packets or not.

But you already now that, since you encaps when you run the "show crypto ipsec sa" command.

Turn on debugging like "debug crypto ipsec 127" and see if there is any PHASE II mismatch.

It sounds like a possible mismatch and when it comes to interesting traffic, the ACL has to be exactly the same on both endpoints.

HTH.

Thanks Javier,

As per my understanding if there is Proxy ID mismatch the tunnel won't come up? But it does.

Here is some log I captured when my side was initiator and we did not have any DECAPs...

7|Oct 02 2013|08:36:21|715047|||||Group = X.X.X.X, IP = X.X.X.X, processing hash payload

7|Oct 02 2013|08:36:21|713236|||||IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=8cef3677) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 208

7|Oct 02 2013|08:36:21|715080|||||Group = X.X.X.X, IP = X.X.X.X, Restarting P1 rekey timer: 36720 seconds.

5|Oct 02 2013|08:36:21|713073|||||Group = X.X.X.X, IP = X.X.X.X, Responder forcing change of IKE rekeying duration from 86400 to 43200 seconds

7|Oct 02 2013|08:36:21|713906|||||0000: 60383C80 EA620FD5 E924BBD7 6B47C5C1     `8<..b...$..kG..

7|Oct 02 2013|08:36:21|713906|||||Responder Lifetime decode follows (outb SPI[4]|attributes):

7|Oct 02 2013|08:36:21|715047|||||Group = X.X.X.X, IP = X.X.X.X, processing notify payload

7|Oct 02 2013|08:36:21|715047|||||Group = X.X.X.X, IP = X.X.X.X, processing hash payload

7|Oct 02 2013|08:36:21|713236|||||IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=f2509ecd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 88

7|Oct 02 2013|08:36:21|713236|||||IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=8cef3677) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 472

7|Oct 02 2013|08:36:21|714004|||||Group = X.X.X.X, IP = X.X.X.X, IKE Initiator sending 1st QM pkt: msg id = 8cef3677

7|Oct 02 2013|08:36:21|715046|||||Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload

7|Oct 02 2013|08:36:21|714007|||||Group = X.X.X.X, IP = X.X.X.X, IKE Initiator sending Initial Contact

7|Oct 02 2013|08:36:21|713906|||||Group = X.X.X.X, IP = X.X.X.X, Transmitting Proxy Id:

7|Oct 02 2013|08:36:21|715001|||||Group = X.X.X.X, IP = X.X.X.X, constructing proxy ID

7|Oct 02 2013|08:36:21|715046|||||Group = X.X.X.X, IP = X.X.X.X, constructing IPSec nonce payload

7|Oct 02 2013|08:36:21|715046|||||Group = X.X.X.X, IP = X.X.X.X, constructing IPSec SA payload

7|Oct 02 2013|08:36:21|715046|||||Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload

7|Oct 02 2013|08:36:21|713906|||||Group = X.X.X.X, IP = X.X.X.X, oakley constucting quick mode

7|Oct 02 2013|08:36:21|715006|||||Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xf733cdab

7|Oct 02 2013|08:36:21|715006|||||Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xab9f8632

7|Oct 02 2013|08:36:21|715006|||||Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0x2bdc7acc

7|Oct 02 2013|08:36:21|715006|||||Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xb420889b

7|Oct 02 2013|08:36:21|715006|||||Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xe12b3c0f

7|Oct 02 2013|08:36:21|715006|||||Group = X.X.X.X, IP = X.X.X.X, IKE got SPI from key engine: SPI = 0xf185a6a9

7|Oct 02 2013|08:36:21|715080|||||Group = X.X.X.X, IP = X.X.X.X, Starting P1 rekey timer: 73440 seconds.

7|Oct 02 2013|08:36:21|713121|||||IP = X.X.X.X, Keep-alive type for this connection: IOS

5|Oct 02 2013|08:36:21|713119|||||Group = X.X.X.X, IP = X.X.X.X, PHASE 1 COMPLETED

7|Oct 02 2013|08:36:21|714002|||||Group = X.X.X.X, IP = X.X.X.X, IKE Initiator starting QM: msg id = 8cef3677

7|Oct 02 2013|08:36:21|713906|||||Group = X.X.X.X, IP = X.X.X.X, Oakley begin quick mode

6|Oct 02 2013|08:36:21|113009|||||AAA retrieved default group policy (GroupPolicy1) for user = X.X.X.X

7|Oct 02 2013|08:36:21|713906|||||IP = X.X.X.X, Connection landed on tunnel_group X.X.X.X

7|Oct 02 2013|08:36:21|715034|||||IP = X.X.X.X, Processing IOS keep alive payload: proposal=32767/32767 sec.

7|Oct 02 2013|08:36:21|715076|||||Group = X.X.X.X, IP = X.X.X.X, Computing hash for ISAKMP

7|Oct 02 2013|08:36:21|715047|||||Group = X.X.X.X, IP = X.X.X.X, processing hash payload

7|Oct 02 2013|08:36:21|714011|||||Group = X.X.X.X, IP = X.X.X.X, ID_IPV4_ADDR ID received

7|Oct 02 2013|08:36:21|715047|||||Group = X.X.X.X, IP = X.X.X.X, processing ID payload

7|Oct 02 2013|08:36:21|713236|||||IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + NONE (0) total length : 76

6|Oct 02 2013|08:36:21|713172|||||Group = X.X.X.X, IP = X.X.X.X, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

7|Oct 02 2013|08:36:21|713236|||||IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 96

7|Oct 02 2013|08:36:21|715046|||||Group = X.X.X.X, IP = X.X.X.X, constructing dpd vid payload

7|Oct 02 2013|08:36:21|715034|||||IP = X.X.X.X, Constructing IOS keep alive payload: proposal=32767/32767 sec.

7|Oct 02 2013|08:36:21|715076|||||Group = X.X.X.X, IP = X.X.X.X, Computing hash for ISAKMP

7|Oct 02 2013|08:36:21|715046|||||Group = X.X.X.X, IP = X.X.X.X, constructing hash payload

7|Oct 02 2013|08:36:21|715046|||||Group = X.X.X.X, IP = X.X.X.X, constructing ID payload

7|Oct 02 2013|08:36:21|713906|||||Group = X.X.X.X, IP = X.X.X.X, Generating keys for Initiator...

7|Oct 02 2013|08:36:21|713906|||||IP = X.X.X.X, Connection landed on tunnel_group X.X.X.X

7|Oct 02 2013|08:36:21|713906|||||IP = X.X.X.X, computing NAT Discovery hash

7|Oct 02 2013|08:36:21|715047|||||IP = X.X.X.X, processing NAT-Discovery payload

7|Oct 02 2013|08:36:21|713906|||||IP = X.X.X.X, computing NAT Discovery hash

7|Oct 02 2013|08:36:21|715047|||||IP = X.X.X.X, processing NAT-Discovery payload

7|Oct 02 2013|08:36:21|715049|||||IP = X.X.X.X, Received Altiga/Cisco VPN3000/Cisco ASA GW VID

7|Oct 02 2013|08:36:21|715047|||||IP = X.X.X.X, processing VID payload

7|Oct 02 2013|08:36:21|715038|||||IP = X.X.X.X, Processing VPN3000/ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000409)

7|Oct 02 2013|08:36:21|715047|||||IP = X.X.X.X, processing VID payload

7|Oct 02 2013|08:36:21|715049|||||IP = X.X.X.X, Received xauth V6 VID

7|Oct 02 2013|08:36:21|715047|||||IP = X.X.X.X, processing VID payload

7|Oct 02 2013|08:36:21|715049|||||IP = X.X.X.X, Received Cisco Unity client VID

hi

i dont see message as phase 2 completed.. did you pasted full debug ?

thanks

Pranesh

Sorry, mate. Did not copy past a part of it.

5|Oct 02 2013|08:36:21|713120|||||Group = X.X.X.X, IP = X.X.X.X, PHASE 2 COMPLETED (msgid=8cef3677)

7|Oct 02 2013|08:36:21|715080|||||Group = X.X.X.X, IP = X.X.X.X, Starting P2 rekey timer: 24480 seconds.

7|Oct 02 2013|08:36:21|715077|||||Group = X.X.X.X, IP = X.X.X.X, Pitcher: received KEY_UPDATE, spi 0xb420889b

7|Oct 02 2013|08:36:21|715007|||||Group = X.X.X.X, IP = X.X.X.X, IKE got a KEY_ADD msg for SA: SPI = 0x692a9d5e

7|Oct 02 2013|08:36:21|715077|||||Group = X.X.X.X, IP = X.X.X.X, Pitcher: received key delete msg, spi 0xf733cdab

7|Oct 02 2013|08:36:21|715077|||||Group = X.X.X.X, IP = X.X.X.X, Pitcher: received key delete msg, spi 0xab9f8632

7|Oct 02 2013|08:36:21|715077|||||Group = X.X.X.X, IP = X.X.X.X, Pitcher: received key delete msg, spi 0x2bdc7acc

7|Oct 02 2013|08:36:21|715077|||||Group = X.X.X.X, IP = X.X.X.X, Pitcher: received key delete msg, spi 0xe12b3c0f

7|Oct 02 2013|08:36:21|715077|||||Group = X.X.X.X, IP = X.X.X.X, Pitcher: received key delete msg, spi 0xf185a6a9

7|Oct 02 2013|08:36:21|713236|||||IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=8cef3677) with payloads : HDR + HASH (8) + NONE (0) total length : 76

7|Oct 02 2013|08:36:21|714006|||||Group = X.X.X.X, IP = X.X.X.X, IKE Initiator sending 3rd QM pkt: msg id = 8cef3677

6|Oct 02 2013|08:36:21|602303|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0xB420889B) between 202.92.101.51 and X.X.X.X (user= X.X.X.X) has been created.

7|Oct 02 2013|08:36:21|713906|||||Group = X.X.X.X, IP = X.X.X.X, oakley constructing final quick mode

5|Oct 02 2013|08:36:21|713049|||||Group = X.X.X.X, IP = X.X.X.X, Security negotiation complete for LAN-to-LAN Group (X.X.X.X)  Initiator, Inbound SPI = 0xb420889b, Outbound SPI = 0x692a9d5e

6|Oct 02 2013|08:36:21|602303|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0x692A9D5E) between 202.92.101.51 and X.X.X.X (user= X.X.X.X) has been created.

7|Oct 02 2013|08:36:21|715001|||||Group = X.X.X.X, IP = X.X.X.X, Generating Quick Mode Key!

7|Oct 02 2013|08:36:21|715001|||||Group = X.X.X.X, IP = X.X.X.X, Generating Quick Mode Key!

7|Oct 02 2013|08:36:21|713906|||||Group = X.X.X.X, IP = X.X.X.X, loading all IPSEC SAs

5|Oct 02 2013|08:36:21|713073|||||Group = X.X.X.X, IP = X.X.X.X, Responder forcing change of IPSec rekeying duration from 86400 to 28800 seconds

5|Oct 02 2013|08:36:21|713074|||||Group = X.X.X.X, IP = X.X.X.X, Responder forcing change of IPSec rekeying duration from 460800000 to 4608000 Kbs

7|Oct 02 2013|08:36:21|713906|||||0000: 692A9D5E 80010001 80027080 80010002     i*.^......p.....

7|Oct 02 2013|08:36:21|713906|||||Responder Lifetime decode follows (outb SPI[4]|attributes):

7|Oct 02 2013|08:36:21|715047|||||Group = X.X.X.X, IP = X.X.X.X, processing notify payload

7|Oct 02 2013|08:36:21|714011|||||Group = X.X.X.X, IP = X.X.X.X, ID_IPV4_ADDR_SUBNET ID received--192.1.1.0--255.255.255.0

7|Oct 02 2013|08:36:21|715047|||||Group = X.X.X.X, IP = X.X.X.X, processing ID payload

7|Oct 02 2013|08:36:21|714011|||||Group = X.X.X.X, IP = X.X.X.X, ID_IPV4_ADDR_SUBNET ID received--10.100.3.0--255.255.255.0

7|Oct 02 2013|08:36:21|715047|||||Group = X.X.X.X, IP = X.X.X.X, processing ID payload

7|Oct 02 2013|08:36:21|715047|||||Group = X.X.X.X, IP = X.X.X.X, processing nonce payload

7|Oct 02 2013|08:36:21|715047|||||Group = X.X.X.X, IP = X.X.X.X, processing SA payload

Hi Jeet,

I ran the capture and cant see any single ESP packet from the other end.

So given we do not have any devices in the middle can I blame the other side?

Regards,

Gleb