12-12-2017 02:41 AM - edited 03-12-2019 04:49 AM
Hello,
We have a VPN connection between our HQ and one of our branches which has a Bintec router. Phase 1 and phase 2 are up, but no there is no traffic is being passed.
This is the result of debug cry ipsec:
HQ# debug crypto ipsec 255
HQ# IPSEC: Received a PFKey message from IKE
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x6BC9BF90)
IPSEC DEBUG: Outbound SA (SPI 0x7DD2A486) destroy started, state active
IPSEC: Destroy current outbound SPI: 0x7DD2A486
IPSEC DEBUG: Outbound SA (SPI 0x7DD2A486) free started, state active
IPSEC DEBUG: Outbound SA (SPI 0x7DD2A486) state change from active to dead
IPSEC DEBUG: Deleting the outbound encrypt rule for SPI 0x7DD2A486
IPSEC: Increment SA NP ref counter for outbound SPI 0x7DD2A486, old value: 0, new value: 1, (ctm_ipsec_delete_acl_entry:7580)
IPSEC: Deleted outbound encrypt rule, SPI 0x7DD2A486
Rule ID: 0x00007f314aa98ac0
IPSEC: Decrement SA NP ref counter for outbound SPI 0x7DD2A486, old value: 1, new value: 0, (ctm_ipsec_delete_acl_cb:5843)
IPSEC DEBUG: Deleting the outbound permit rule for SPI 0x7DD2A486
IPSEC: Increment SA NP ref counter for outbound SPI 0x7DD2A486, old value: 0, new value: 1, (ctm_ipsec_delete_acl_entry:7580)
IPSEC: Deleted outbound permit rule, SPI 0x7DD2A486
Rule ID: 0x00007f314aa99170
IPSEC: Decrement SA NP ref counter for outbound SPI 0x7DD2A486, old value: 1, new value: 0, (ctm_ipsec_delete_acl_cb:5843)
IPSEC DEBUG: Deleting the Outbound VPN context for SPI 0x7DD2A486
IPSEC: Increment SA NP ref counter for outbound SPI 0x7DD2A486, old value: 0, new value: 1, (ctm_ipsec_free_sa:10053)
IPSEC: Deleted outbound VPN context, SPI 0x7DD2A486
VPN handle: 0x000000000085546c
IPSEC: Decrement SA NP ref counter for outbound SPI 0x7DD2A486, old value: 1, new value: 0, (ctm_np_vpn_delete_cb:12591)
IPSEC DEBUG: Outbound SA (SPI 0x7DD2A486) free completed
IPSEC DEBUG: Outbound SA (SPI 0x7DD2A486) destroy completed
IPSEC DEBUG: Inbound SA (SPI 0x6BC9BF90) destroy started, state active
IPSEC: Destroy current inbound SPI: 0x6BC9BF90
IPSEC DEBUG: Inbound SA (SPI 0x6BC9BF90) free started, state active
IPSEC DEBUG: Inbound SA (SPI 0x6BC9BF90) state change from active to dead
IPSEC DEBUG: Deleting the inbound decrypt rule for SPI 0x6BC9BF90
IPSEC: Increment SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 0, new value: 1, (ctm_ipsec_delete_acl_entry:7580)
IPSEC: Deleted inbound decrypt rule, SPI 0x6BC9BF90
Rule ID: 0x00007f314aa905a0
IPSEC: Decrement SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 1, new value: 0, (ctm_ipsec_delete_acl_cb:5843)
IPSEC DEBUG: Deleting the inbound permit rule for SPI 0x6BC9BF90
IPSEC: Increment SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 0, new value: 1, (ctm_ipsec_delete_acl_entry:7580)
IPSEC: Deleted inbound permit rule, SPI 0x6BC9BF90
Rule ID: 0x00007f314aa9a800
IPSEC: Decrement SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 1, new value: 0, (ctm_ipsec_delete_acl_cb:5843)
IPSEC DEBUG: Deleting the inbound tunnel flow rule for SPI 0x6BC9BF90
IPSEC: Increment SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 0, new value: 1, (ctm_ipsec_delete_acl_entry:7580)
IPSEC: Deleted inbound tunnel flow rule, SPI 0x6BC9BF90
Rule ID: 0x00007f314aa02b30
IPSEC: Decrement SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 1, new value: 0, (ctm_ipsec_delete_acl_cb:5843)
IPSEC DEBUG: Deleting the Inbound VPN context for SPI 0x6BC9BF90
IPSEC: Increment SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 0, new value: 1, (ctm_ipsec_free_sa:10053)
IPSEC: Deleted inbound VPN context, SPI 0x6BC9BF90
VPN handle: 0x000000000085612c
IPSEC: Decrement SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 1, new value: 0, (ctm_np_vpn_delete_cb:12591)
IPSEC: Removed SA from last received DB, SPI: 0x6BC9BF90, user: 1.1.1.1, peer: 1.1.1.1, SessionID: 0x00027000
IPSEC DEBUG: Inbound SA (SPI 0x6BC9BF90) free completed
IPSEC DEBUG: Inbound SA (SPI 0x6BC9BF90) destroy completed
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
IPSEC: New embryonic SA created @ 0x00007f314aa48160,
SCB: 0x4A851930,
Direction: inbound
SPI : 0xA408878F
Session ID: 0x00028000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey ADD message
IPSEC: Creating IPsec SA
IPSEC: Adding the outbound SA, SPI: 0x08054576
IPSEC DEBUG: Outbound SA (SPI 0x08054576) state change from inactive to embryonic
IPSEC: New embryonic SA created @ 0x00007f314aa01430,
SCB: 0x4AA15580,
Direction: outbound
SPI : 0x08054576
Session ID: 0x00028000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Rule Lookup for local 172.16.2.0 to remote 192.168.113.0
PROXY MATCH on crypto map outside_map seq 1
IPSEC DEBUG: Using NP outbound permit rule for SPI 0x08054576
IPSEC: Completed host OBSA update, SPI 0x08054576
IPSEC: Creating outbound VPN context, SPI 0x08054576
Flags: 0x00000025
SA : 0x00007f314aa01430
SPI : 0x08054576
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x426E769D
Channel: 0x00007f3139ba14c0
IPSEC: Increment SA NP ref counter for outbound SPI 0x08054576, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:8216)
IPSEC: Completed outbound VPN context, SPI 0x08054576
VPN handle: 0x00000000008588a4
IPSEC: New outbound encrypt rule, SPI 0x08054576
Src addr: 172.16.2.0
Src mask: 255.255.255.0
Dst addr: 192.168.113.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for outbound SPI 0x08054576, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6773)
IPSEC: Completed outbound encrypt rule, SPI 0x08054576
Rule ID: 0x00007f314aa01c90
IPSEC: Decrement SA NP ref counter for outbound SPI 0x08054576, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5723)
IPSEC: New outbound permit rule, SPI 0x08054576
Src addr: 2.2.2.2
Src mask: 255.255.255.255
Dst addr: 1.1.1.1
Dst mask: 255.255.255.255
Src ports
Upper: 4500
Lower: 4500
Op : equal
Dst ports
Upper: 40634
Lower: 40634
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for outbound SPI 0x08054576, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6934)
IPSEC: Completed outbound permit rule, SPI 0x08054576
Rule ID: 0x00007f314aaaf4f0
IPSEC: Decrement SA NP ref counter for outbound SPI 0x08054576, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5723)
IPSEC: Decrement SA NP ref counter for outbound SPI 0x08054576, old value: 1, new value: 0, (ctm_np_vpn_context_cb:12531)
IPSEC: Increment SA HW ref counter for outbound SPI 0x08054576, old value: 0, new value: 1, (ctm_nlite_ipsec_create_hw_obsa:1230)
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey UPDATE message
IPSEC: Creating IPsec SA
IPSEC: Updating the inbound SA, SPI: 0xA408878F
IPSEC: New embryonic SA created @ 0x00007f314aa48160,
SCB: 0x4A851930,
Direction: inbound
SPI : 0xA408878F
Session ID: 0x00028000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Rule Lookup for local 172.16.2.0 to remote 192.168.113.0
PROXY MATCH on crypto map outside_map seq 1
IPSEC DEBUG: Using NP inbound permit rule for SPI 0xA408878F
IPSEC: Completed host IBSA update, SPI 0xA408878F
IPSEC: Creating inbound VPN context, SPI 0xA408878F
Flags: 0x00000026
SA : 0x00007f314aa48160
SPI : 0xA408878F
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x008588A4
SCB : 0x426D6F6F
Channel: 0x00007f3139ba14c0
IPSEC: Increment SA NP ref counter for inbound SPI 0xA408878F, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:8149)
IPSEC: Completed inbound VPN context, SPI 0xA408878F
VPN handle: 0x0000000000044f0c
IPSEC: Updating outbound VPN context 0x008588A4, SPI 0x08054576
Flags: 0x00000025
SA : 0x00007f314aa01430
SPI : 0x08054576
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00044F0C
SCB : 0x426E769D
Channel: 0x00007f3139ba14c0
IPSEC: Increment SA NP ref counter for outbound SPI 0x08054576, old value: 0, new value: 1, (ctm_ipsec_update_vpn_context:8345)
IPSEC: Completed outbound VPN context, SPI 0x08054576
VPN handle: 0x00000000008588a4
IPSEC: Completed outbound inner rule, SPI 0x08054576
Rule ID: 0x00007f314aa01c90
IPSEC: Completed outbound outer SPD rule, SPI 0x08054576
Rule ID: 0x00007f314aaaf4f0
IPSEC: Decrement SA NP ref counter for outbound SPI 0x08054576, old value: 1, new value: 0, (ctm_np_vpn_context_cb:12531)
IPSEC: New inbound tunnel flow rule, SPI 0xA408878F
Src addr: 192.168.113.0
Src mask: 255.255.255.0
Dst addr: 172.16.2.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for inbound SPI 0xA408878F, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6339)
IPSEC: Completed inbound tunnel flow rule, SPI 0xA408878F
Rule ID: 0x00007f314aa90e80
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA408878F, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5723)
IPSEC: New inbound decrypt rule, SPI 0xA408878F
Src addr: 1.1.1.1
Src mask: 255.255.255.255
Dst addr: 2.2.2.2
Dst mask: 255.255.255.255
Src ports
Upper: 40634
Lower: 40634
Op : equal
Dst ports
Upper: 4500
Lower: 4500
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for inbound SPI 0xA408878F, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6501)
IPSEC: Completed inbound decrypt rule, SPI 0xA408878F
Rule ID: 0x00007f314aa90f90
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA408878F, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5723)
IPSEC: New inbound permit rule, SPI 0xA408878F
Src addr: 1.1.1.1
Src mask: 255.255.255.255
Dst addr: 2.2.2.2
Dst mask: 255.255.255.255
Src ports
Upper: 40634
Lower: 40634
Op : equal
Dst ports
Upper: 4500
Lower: 4500
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for inbound SPI 0xA408878F, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6501)
IPSEC: Completed inbound permit rule, SPI 0xA408878F
Rule ID: 0x00007f314aaa1d80
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA408878F, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5723)
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA408878F, old value: 1, new value: 0, (ctm_np_vpn_context_cb:12531)
IPSEC: Increment SA HW ref counter for inbound SPI 0xA408878F, old value: 0, new value: 1, (ctm_nlite_ipsec_create_hw_ibsa:805)
IPSEC: Added SA to last received DB, SPI: 0xA408878F, user: 1.1.1.1, peer: 1.1.1.1, SessionID: 0x00028000
IPSEC DEBUG: Inbound SA (SPI 0xA408878F) state change from embryonic to active
IPSEC DEBUG: Outbound SA (SPI 0x08054576) state change from embryonic to active
-------------------------
packet tracer results:
packet-tracer input inside icmp 172.16.2.10 0 0 192.168.113.220
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.1.1.2 using egress ifc outside
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static EBOOTIS-INT EBOOTIS-EXT
Additional Information:
Static translate 172.16.2.10/0 to 1.1.1.30/0
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static EBOOTIS-INT EBOOTIS-EXT
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10593, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched
------------
Running Config:
sh run nat
nat (inside,outside) source static EBOOTIS-INT EBOOTIS-EXT
nat (inside,outside) source static FIREPOWER-INT FIREPOWER-EXT
nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp route-lookup
----------------
I think it's a nat problem but I can't fix it.
Solved! Go to Solution.