cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5584
Views
0
Helpful
11
Replies
Highlighted
Rising star

Site to site vpn between ASA 9.9.1 and Bintec router

Hello,

We have a VPN connection between our HQ and one of our branches which has a Bintec router. Phase 1 and phase 2 are up, but no there is no traffic is being passed.

 

This is the result of debug cry ipsec:

HQ# debug crypto ipsec 255
HQ# IPSEC: Received a PFKey message from IKE
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x6BC9BF90)
IPSEC DEBUG: Outbound SA (SPI 0x7DD2A486) destroy started, state active
IPSEC: Destroy current outbound SPI: 0x7DD2A486
IPSEC DEBUG: Outbound SA (SPI 0x7DD2A486) free started, state active
IPSEC DEBUG: Outbound SA (SPI 0x7DD2A486) state change from active to dead
IPSEC DEBUG: Deleting the outbound encrypt rule for SPI 0x7DD2A486
IPSEC: Increment SA NP ref counter for outbound SPI 0x7DD2A486, old value: 0, new value: 1, (ctm_ipsec_delete_acl_entry:7580)
IPSEC: Deleted outbound encrypt rule, SPI 0x7DD2A486
Rule ID: 0x00007f314aa98ac0
IPSEC: Decrement SA NP ref counter for outbound SPI 0x7DD2A486, old value: 1, new value: 0, (ctm_ipsec_delete_acl_cb:5843)
IPSEC DEBUG: Deleting the outbound permit rule for SPI 0x7DD2A486
IPSEC: Increment SA NP ref counter for outbound SPI 0x7DD2A486, old value: 0, new value: 1, (ctm_ipsec_delete_acl_entry:7580)
IPSEC: Deleted outbound permit rule, SPI 0x7DD2A486
Rule ID: 0x00007f314aa99170
IPSEC: Decrement SA NP ref counter for outbound SPI 0x7DD2A486, old value: 1, new value: 0, (ctm_ipsec_delete_acl_cb:5843)
IPSEC DEBUG: Deleting the Outbound VPN context for SPI 0x7DD2A486
IPSEC: Increment SA NP ref counter for outbound SPI 0x7DD2A486, old value: 0, new value: 1, (ctm_ipsec_free_sa:10053)
IPSEC: Deleted outbound VPN context, SPI 0x7DD2A486
VPN handle: 0x000000000085546c
IPSEC: Decrement SA NP ref counter for outbound SPI 0x7DD2A486, old value: 1, new value: 0, (ctm_np_vpn_delete_cb:12591)
IPSEC DEBUG: Outbound SA (SPI 0x7DD2A486) free completed
IPSEC DEBUG: Outbound SA (SPI 0x7DD2A486) destroy completed
IPSEC DEBUG: Inbound SA (SPI 0x6BC9BF90) destroy started, state active
IPSEC: Destroy current inbound SPI: 0x6BC9BF90
IPSEC DEBUG: Inbound SA (SPI 0x6BC9BF90) free started, state active
IPSEC DEBUG: Inbound SA (SPI 0x6BC9BF90) state change from active to dead
IPSEC DEBUG: Deleting the inbound decrypt rule for SPI 0x6BC9BF90
IPSEC: Increment SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 0, new value: 1, (ctm_ipsec_delete_acl_entry:7580)
IPSEC: Deleted inbound decrypt rule, SPI 0x6BC9BF90
Rule ID: 0x00007f314aa905a0
IPSEC: Decrement SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 1, new value: 0, (ctm_ipsec_delete_acl_cb:5843)
IPSEC DEBUG: Deleting the inbound permit rule for SPI 0x6BC9BF90
IPSEC: Increment SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 0, new value: 1, (ctm_ipsec_delete_acl_entry:7580)
IPSEC: Deleted inbound permit rule, SPI 0x6BC9BF90
Rule ID: 0x00007f314aa9a800
IPSEC: Decrement SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 1, new value: 0, (ctm_ipsec_delete_acl_cb:5843)
IPSEC DEBUG: Deleting the inbound tunnel flow rule for SPI 0x6BC9BF90
IPSEC: Increment SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 0, new value: 1, (ctm_ipsec_delete_acl_entry:7580)
IPSEC: Deleted inbound tunnel flow rule, SPI 0x6BC9BF90
Rule ID: 0x00007f314aa02b30
IPSEC: Decrement SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 1, new value: 0, (ctm_ipsec_delete_acl_cb:5843)
IPSEC DEBUG: Deleting the Inbound VPN context for SPI 0x6BC9BF90
IPSEC: Increment SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 0, new value: 1, (ctm_ipsec_free_sa:10053)
IPSEC: Deleted inbound VPN context, SPI 0x6BC9BF90
VPN handle: 0x000000000085612c
IPSEC: Decrement SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 1, new value: 0, (ctm_np_vpn_delete_cb:12591)
IPSEC: Removed SA from last received DB, SPI: 0x6BC9BF90, user: 1.1.1.1, peer: 1.1.1.1, SessionID: 0x00027000
IPSEC DEBUG: Inbound SA (SPI 0x6BC9BF90) free completed
IPSEC DEBUG: Inbound SA (SPI 0x6BC9BF90) destroy completed
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
IPSEC: New embryonic SA created @ 0x00007f314aa48160, 
SCB: 0x4A851930, 
Direction: inbound
SPI : 0xA408878F
Session ID: 0x00028000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey ADD message
IPSEC: Creating IPsec SA
IPSEC: Adding the outbound SA, SPI: 0x08054576
IPSEC DEBUG: Outbound SA (SPI 0x08054576) state change from inactive to embryonic
IPSEC: New embryonic SA created @ 0x00007f314aa01430, 
SCB: 0x4AA15580, 
Direction: outbound
SPI : 0x08054576
Session ID: 0x00028000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Rule Lookup for local 172.16.2.0 to remote 192.168.113.0
PROXY MATCH on crypto map outside_map seq 1
IPSEC DEBUG: Using NP outbound permit rule for SPI 0x08054576
IPSEC: Completed host OBSA update, SPI 0x08054576
IPSEC: Creating outbound VPN context, SPI 0x08054576
Flags: 0x00000025
SA : 0x00007f314aa01430
SPI : 0x08054576
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x426E769D
Channel: 0x00007f3139ba14c0
IPSEC: Increment SA NP ref counter for outbound SPI 0x08054576, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:8216)
IPSEC: Completed outbound VPN context, SPI 0x08054576
VPN handle: 0x00000000008588a4
IPSEC: New outbound encrypt rule, SPI 0x08054576
Src addr: 172.16.2.0
Src mask: 255.255.255.0
Dst addr: 192.168.113.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for outbound SPI 0x08054576, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6773)
IPSEC: Completed outbound encrypt rule, SPI 0x08054576
Rule ID: 0x00007f314aa01c90
IPSEC: Decrement SA NP ref counter for outbound SPI 0x08054576, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5723)
IPSEC: New outbound permit rule, SPI 0x08054576
Src addr: 2.2.2.2
Src mask: 255.255.255.255
Dst addr: 1.1.1.1
Dst mask: 255.255.255.255
Src ports
Upper: 4500
Lower: 4500
Op : equal
Dst ports
Upper: 40634
Lower: 40634
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for outbound SPI 0x08054576, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6934)
IPSEC: Completed outbound permit rule, SPI 0x08054576
Rule ID: 0x00007f314aaaf4f0
IPSEC: Decrement SA NP ref counter for outbound SPI 0x08054576, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5723)
IPSEC: Decrement SA NP ref counter for outbound SPI 0x08054576, old value: 1, new value: 0, (ctm_np_vpn_context_cb:12531)
IPSEC: Increment SA HW ref counter for outbound SPI 0x08054576, old value: 0, new value: 1, (ctm_nlite_ipsec_create_hw_obsa:1230)
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey UPDATE message
IPSEC: Creating IPsec SA
IPSEC: Updating the inbound SA, SPI: 0xA408878F
IPSEC: New embryonic SA created @ 0x00007f314aa48160, 
SCB: 0x4A851930, 
Direction: inbound
SPI : 0xA408878F
Session ID: 0x00028000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Rule Lookup for local 172.16.2.0 to remote 192.168.113.0
PROXY MATCH on crypto map outside_map seq 1
IPSEC DEBUG: Using NP inbound permit rule for SPI 0xA408878F
IPSEC: Completed host IBSA update, SPI 0xA408878F
IPSEC: Creating inbound VPN context, SPI 0xA408878F
Flags: 0x00000026
SA : 0x00007f314aa48160
SPI : 0xA408878F
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x008588A4
SCB : 0x426D6F6F
Channel: 0x00007f3139ba14c0
IPSEC: Increment SA NP ref counter for inbound SPI 0xA408878F, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:8149)
IPSEC: Completed inbound VPN context, SPI 0xA408878F
VPN handle: 0x0000000000044f0c
IPSEC: Updating outbound VPN context 0x008588A4, SPI 0x08054576
Flags: 0x00000025
SA : 0x00007f314aa01430
SPI : 0x08054576
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00044F0C
SCB : 0x426E769D
Channel: 0x00007f3139ba14c0
IPSEC: Increment SA NP ref counter for outbound SPI 0x08054576, old value: 0, new value: 1, (ctm_ipsec_update_vpn_context:8345)
IPSEC: Completed outbound VPN context, SPI 0x08054576
VPN handle: 0x00000000008588a4
IPSEC: Completed outbound inner rule, SPI 0x08054576
Rule ID: 0x00007f314aa01c90
IPSEC: Completed outbound outer SPD rule, SPI 0x08054576
Rule ID: 0x00007f314aaaf4f0
IPSEC: Decrement SA NP ref counter for outbound SPI 0x08054576, old value: 1, new value: 0, (ctm_np_vpn_context_cb:12531)
IPSEC: New inbound tunnel flow rule, SPI 0xA408878F
Src addr: 192.168.113.0
Src mask: 255.255.255.0
Dst addr: 172.16.2.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for inbound SPI 0xA408878F, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6339)
IPSEC: Completed inbound tunnel flow rule, SPI 0xA408878F
Rule ID: 0x00007f314aa90e80
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA408878F, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5723)
IPSEC: New inbound decrypt rule, SPI 0xA408878F
Src addr: 1.1.1.1
Src mask: 255.255.255.255
Dst addr: 2.2.2.2
Dst mask: 255.255.255.255
Src ports
Upper: 40634
Lower: 40634
Op : equal
Dst ports
Upper: 4500
Lower: 4500
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for inbound SPI 0xA408878F, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6501)
IPSEC: Completed inbound decrypt rule, SPI 0xA408878F
Rule ID: 0x00007f314aa90f90
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA408878F, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5723)
IPSEC: New inbound permit rule, SPI 0xA408878F
Src addr: 1.1.1.1
Src mask: 255.255.255.255
Dst addr: 2.2.2.2
Dst mask: 255.255.255.255
Src ports
Upper: 40634
Lower: 40634
Op : equal
Dst ports
Upper: 4500
Lower: 4500
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for inbound SPI 0xA408878F, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6501)
IPSEC: Completed inbound permit rule, SPI 0xA408878F
Rule ID: 0x00007f314aaa1d80
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA408878F, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5723)
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA408878F, old value: 1, new value: 0, (ctm_np_vpn_context_cb:12531)
IPSEC: Increment SA HW ref counter for inbound SPI 0xA408878F, old value: 0, new value: 1, (ctm_nlite_ipsec_create_hw_ibsa:805)
IPSEC: Added SA to last received DB, SPI: 0xA408878F, user: 1.1.1.1, peer: 1.1.1.1, SessionID: 0x00028000
IPSEC DEBUG: Inbound SA (SPI 0xA408878F) state change from embryonic to active
IPSEC DEBUG: Outbound SA (SPI 0x08054576) state change from embryonic to active

 

-------------------------

packet tracer results:

packet-tracer input inside icmp 172.16.2.10 0 0 192.168.113.220

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.1.1.2 using egress ifc outside

Phase: 2
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,outside) source static EBOOTIS-INT EBOOTIS-EXT
Additional Information:
Static translate 172.16.2.10/0 to 1.1.1.30/0

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4 
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp 
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config: 
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static EBOOTIS-INT EBOOTIS-EXT
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 10593, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched

------------

Running Config:

sh run nat
nat (inside,outside) source static EBOOTIS-INT EBOOTIS-EXT
nat (inside,outside) source static FIREPOWER-INT FIREPOWER-EXT
nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp route-lookup

----------------

I think it's a nat problem but I can't fix it.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Rising star

Re: Site to site vpn between ASA 9.9.1 and Bintec router

It seems packets are NATed incorrectly.

You should move the identity NAT for VPN into the first position.

no nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp route-lookup
nat 1 (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp route-lookup

 

View solution in original post

11 REPLIES 11
Highlighted
Rising star

Re: Site to site vpn between ASA 9.9.1 and Bintec router

It seems packets are NATed incorrectly.

You should move the identity NAT for VPN into the first position.

no nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp route-lookup
nat 1 (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp route-lookup

 

View solution in original post

Highlighted
Rising star

Re: Site to site vpn between ASA 9.9.1 and Bintec router

Hello Bogdan,

Thanks for the prompt reply.

I have tried to move the identity NAT for VPN into the first position.


nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp

 But unfortunately the problem still exists.


Highlighted
Rising star

Re: Site to site vpn between ASA 9.9.1 and Bintec router

Hi Maher,

When you say you tried, does that mean that the identity NAT is the first now?

You can confirm with show runn nat.

Is the packet tracer still indicating a NAT translation to 1.1.1.30?

Highlighted
Rising star

Re: Site to site vpn between ASA 9.9.1 and Bintec router

Hi again,

yes of course.

 

here it is:

sh run nat
nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp
nat (inside,outside) source static EBOOTIS-INT EBOOTIS-EXT
nat (inside,outside) source static FIREPOWER-INT FIREPOWER-EXT
!
nat (inside,outside) after-auto source dynamic any interface

Highlighted
Rising star

Re: Site to site vpn between ASA 9.9.1 and Bintec router

NAT looks good now.

Can you run the packet tracer one more time and post the output?

packet-tracer input inside icmp 172.16.2.10 8 0 192.168.113.220

Highlighted
Rising star

Re: Site to site vpn between ASA 9.9.1 and Bintec router

Seems better now

 

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.113.220/0 to 192.168.113.220/0

Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp
Additional Information:
Static translate 172.16.2.10/0 to 172.16.2.10/0

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp
Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 11493, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Highlighted
Rising star

Re: Site to site vpn between ASA 9.9.1 and Bintec router

Yes, packet-tracer indicates that the packets are being sent over the VPN tunnel.

You should be able to see encrypted packets now, when running sh crypto ipsec sa.

Highlighted
Rising star

Re: Site to site vpn between ASA 9.9.1 and Bintec router

That's right!

sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1

access-list outside_cryptomap extended permit ip 172.16.2.0 255.255.255.0 192.168.113.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 450, #pkts encrypt: 450, #pkts digest: 450
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 450, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.1/4500, remote crypto endpt.: 2.2.2.2/40634
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 4A942B97
current inbound spi : 15A679D3

inbound esp sas:
spi: 0x15A679D3 (363231699)
SA State: active
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 44, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4193280/24679)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x4A942B97 (1251224471)
SA State: active
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 44, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4147177/24679)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

 

but still can't access the remote network nor the remote can access our local network.

Do you think a restart is needed?

Highlighted
Rising star

Re: Site to site vpn between ASA 9.9.1 and Bintec router

I noticed this:

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

 

Now this means the issue is on the Bintec.

 

Highlighted
Rising star

Re: Site to site vpn between ASA 9.9.1 and Bintec router

Correct, the output you posted indicates the issue is now on the Bintec.

Considering the VPN tunnel is functional, the problem is usually with the routing or NAT config.

Highlighted
Rising star

Re: Site to site vpn between ASA 9.9.1 and Bintec router

Hi Bogdan,

Thanks a lot for your help!

Best Regards,

Maher