Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
765
Views
0
Helpful
6
Replies

Site to Site only enacap packets are increasing at both end not decap

sv7
Level 3
Level 3

‎05-19-2023 12:11 AM

Hi All,

I have configured an Site to Site vpn between two asa where my phase 1 and 2 both are up but when i execute show crypto ipsec sa command it shows only encap packets are increasing and not decap.

Attach is the vpn configuration for both devices and help me how to resolve this. 

 

 

Labels:
Preview file
2 KB
Preview file
2 KB
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎05-19-2023 12:17 AM

@sv7 is there a firewall/ACL in between these ASA that could be blocking ESP? Run a packet capture to confirm.

 

0 Helpful

sv7
Level 3
Level 3
In response to Rob Ingram

‎05-19-2023 01:13 AM

Nope. Also nothing getting capture in packet capture. 

 

sv7_0-1684483968788.png

 

0 Helpful

MHM Cisco World
VIP
VIP

‎05-19-2023 12:32 AM - edited ‎05-19-2023 12:34 AM 

crypto map outside_map interface outside

You use crypto map name different under outside interface ' is that typo ?

I see this misconfig in both sides.

Also make double check the local and remote LAN it must be mirror in both side.

Thanks

MHM

0 Helpful

sv7
Level 3
Level 3
In response to MHM Cisco World

‎05-19-2023 12:50 AM

Hi MHM,

Yes thats a typo mistake. Regarding remote and lan i have checked its mirror only.

0 Helpful

MHM Cisco World
VIP
VIP
In response to sv7

‎05-19-2023 01:53 AM 

object-group network DM_INLINE_NETWORK_7 LOCAL LAN
 network-object 192.168.148.0 255.255.255.0
 network-object object india_local
 network-object object india_local_sparenetwork
object-group network DM_INLINE_NETWORK_8 REMOTE LAN
 network-object object VIM_Data_Lan
 network-object object VIM_MGMT_LAN
 network-object object VIM_Voice
 network-object object City_10.10.6.0


 

object-group network DM_INLINE_NETWORK_7 REMOTE LAN
 network-object object Inside_Data_Lan
 network-object object Inside_MGMT_Lan
 network-object object Inside_Voice
 network-object object SSL_VPN_POOL
object-group network DM_INLINE_NETWORK_8 REMOTE LAN
 network-object object Khed_Data
 network-object object Khed_Management
 network-object object Khed_Spare

this need to make check LOCAL in one side must match REMOTE in other side 

ALSO ALSO AGAIN check the crypto map NAME under the outside interface  

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni

‎05-19-2023 01:29 AM

as you do not see decap but you also see encap and the encap number are increasing. it clearly shows/point an issue at the remote side. might they do not have a routing/static route in configured/place to direct the traffic on to their asa firewall.

 

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents