Site-to-Site packets ENCAP/DECAP with 50% packets loss problem

mysolutionscorp · ‎12-13-2013

Hello, Good Day!!

I have a problem in site-to-site VPN between Cisco 2801 router running (C2801-ADVENTERPRISEK9-M Version12.4(16)) and Cisco ASA Firewall 5515 running Version 8.6(1)2.

Problem ocurring when the phase 1 and 2 is completed and when i give the command "sh crypto ipsec sa" on cisco 2801 router it show all zeros in output: but on the other side its show packets encapsulate/decapsulate are fine on Cisco ASA.

I have matched the configuration its all fine on both end and also both endpoints are reaching with 50% packets loss.

Please assist me I am stuck with this problem :~

Cisco Router 2801	Cisco firewall ASA
crypto isakmp policy 70 encr 3des hash md5 authentication pre-share group 2 lifetime 28800	phase 1: crypto ikev1 policy 95 authentication pre-share encryption 3des hash md5 group 2 lifetime 28800
crypto isakmp key KEY_STRING address XXX.XXX.XXXX.XXXX	crypto isakmp key KEY_STRING address XXX.XXX.XXXX.XXXX
crypto ipsec transform-set TS_STRING esp-3des esp-md5-hmac	crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map KASBUAE 70 ipsec-isakmp set peer XXX.XXX.XXX.XXX set security-association lifetime seconds 28800 set transform-set TS_STRING match address 110	crypto map outside_map 14 match address outside_cryptomap_13 crypto map outside_map 14 set peer XXX.XXX.XXX.XXX crypto map outside_map 14 set ikev1 transform-set ESP-3DES-MD5 crypto map outside_map 14 set security-association lifetime seconds 28800
access-list 110 permit ip host 10.10.10.10 host 20.20.20.20 access-list 110 permit tcp host10.10.10.10 eq 1251 host 20.20.20.20 access-list 110 permit icmp host10.10.10.10 host 20.20.20.20	access-list outside_cryptomap_13 extended permit icmp object CISCO_ASA object CISCO_2811 ___________________ access-list outside_cryptomap_13 extended permit tcp object CISCO_ASA object CISCO_2811 ___________________ access-list outside_cryptomap_13 extended permit ip object CISCO_ASA object CISCO_2811
	here: CISCO_ASA = 20.20.20.20 CISCO_2811 = 10.10.10.10

protected vrf: (none)

local ident (addr/mask/prot/port): (10.142.56.105/255.255.255.255/6/1251)

remote ident (addr/mask/prot/port): (10.0.31.6/255.255.255.255/6/0)

current_peer 212.112.188.194 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 202.44.92.18, remote crypto endpt.: 212.112.188.194

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Thanks & Regards,

m.kafka · ‎12-14-2013

The ipsec sa is not established (inbound esp sas: empty)

Verify that your crypt acls are mirrored (unless you know exactly what you are doing)

If in doubt run a debug on phase (deb cryp ipsec) to see whats happening.

Rgds,

MiKa

PS: if you obfuscate addresses in your pseudo-config you should also obfuscate them in your debug output.