12-12-2017 02:41 AM - edited 03-12-2019 04:49 AM
Hello,
We have a VPN connection between our HQ and one of our branches which has a Bintec router. Phase 1 and phase 2 are up, but no there is no traffic is being passed.
This is the result of debug cry ipsec:
HQ# debug crypto ipsec 255
HQ# IPSEC: Received a PFKey message from IKE
IPSEC DEBUG: Received a DELETE PFKey message from IKE for an inbound SA (SPI 0x6BC9BF90)
IPSEC DEBUG: Outbound SA (SPI 0x7DD2A486) destroy started, state active
IPSEC: Destroy current outbound SPI: 0x7DD2A486
IPSEC DEBUG: Outbound SA (SPI 0x7DD2A486) free started, state active
IPSEC DEBUG: Outbound SA (SPI 0x7DD2A486) state change from active to dead
IPSEC DEBUG: Deleting the outbound encrypt rule for SPI 0x7DD2A486
IPSEC: Increment SA NP ref counter for outbound SPI 0x7DD2A486, old value: 0, new value: 1, (ctm_ipsec_delete_acl_entry:7580)
IPSEC: Deleted outbound encrypt rule, SPI 0x7DD2A486
Rule ID: 0x00007f314aa98ac0
IPSEC: Decrement SA NP ref counter for outbound SPI 0x7DD2A486, old value: 1, new value: 0, (ctm_ipsec_delete_acl_cb:5843)
IPSEC DEBUG: Deleting the outbound permit rule for SPI 0x7DD2A486
IPSEC: Increment SA NP ref counter for outbound SPI 0x7DD2A486, old value: 0, new value: 1, (ctm_ipsec_delete_acl_entry:7580)
IPSEC: Deleted outbound permit rule, SPI 0x7DD2A486
Rule ID: 0x00007f314aa99170
IPSEC: Decrement SA NP ref counter for outbound SPI 0x7DD2A486, old value: 1, new value: 0, (ctm_ipsec_delete_acl_cb:5843)
IPSEC DEBUG: Deleting the Outbound VPN context for SPI 0x7DD2A486
IPSEC: Increment SA NP ref counter for outbound SPI 0x7DD2A486, old value: 0, new value: 1, (ctm_ipsec_free_sa:10053)
IPSEC: Deleted outbound VPN context, SPI 0x7DD2A486
VPN handle: 0x000000000085546c
IPSEC: Decrement SA NP ref counter for outbound SPI 0x7DD2A486, old value: 1, new value: 0, (ctm_np_vpn_delete_cb:12591)
IPSEC DEBUG: Outbound SA (SPI 0x7DD2A486) free completed
IPSEC DEBUG: Outbound SA (SPI 0x7DD2A486) destroy completed
IPSEC DEBUG: Inbound SA (SPI 0x6BC9BF90) destroy started, state active
IPSEC: Destroy current inbound SPI: 0x6BC9BF90
IPSEC DEBUG: Inbound SA (SPI 0x6BC9BF90) free started, state active
IPSEC DEBUG: Inbound SA (SPI 0x6BC9BF90) state change from active to dead
IPSEC DEBUG: Deleting the inbound decrypt rule for SPI 0x6BC9BF90
IPSEC: Increment SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 0, new value: 1, (ctm_ipsec_delete_acl_entry:7580)
IPSEC: Deleted inbound decrypt rule, SPI 0x6BC9BF90
Rule ID: 0x00007f314aa905a0
IPSEC: Decrement SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 1, new value: 0, (ctm_ipsec_delete_acl_cb:5843)
IPSEC DEBUG: Deleting the inbound permit rule for SPI 0x6BC9BF90
IPSEC: Increment SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 0, new value: 1, (ctm_ipsec_delete_acl_entry:7580)
IPSEC: Deleted inbound permit rule, SPI 0x6BC9BF90
Rule ID: 0x00007f314aa9a800
IPSEC: Decrement SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 1, new value: 0, (ctm_ipsec_delete_acl_cb:5843)
IPSEC DEBUG: Deleting the inbound tunnel flow rule for SPI 0x6BC9BF90
IPSEC: Increment SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 0, new value: 1, (ctm_ipsec_delete_acl_entry:7580)
IPSEC: Deleted inbound tunnel flow rule, SPI 0x6BC9BF90
Rule ID: 0x00007f314aa02b30
IPSEC: Decrement SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 1, new value: 0, (ctm_ipsec_delete_acl_cb:5843)
IPSEC DEBUG: Deleting the Inbound VPN context for SPI 0x6BC9BF90
IPSEC: Increment SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 0, new value: 1, (ctm_ipsec_free_sa:10053)
IPSEC: Deleted inbound VPN context, SPI 0x6BC9BF90
VPN handle: 0x000000000085612c
IPSEC: Decrement SA NP ref counter for inbound SPI 0x6BC9BF90, old value: 1, new value: 0, (ctm_np_vpn_delete_cb:12591)
IPSEC: Removed SA from last received DB, SPI: 0x6BC9BF90, user: 1.1.1.1, peer: 1.1.1.1, SessionID: 0x00027000
IPSEC DEBUG: Inbound SA (SPI 0x6BC9BF90) free completed
IPSEC DEBUG: Inbound SA (SPI 0x6BC9BF90) destroy completed
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey GETSPI message
IPSEC: Creating IPsec SA
IPSEC: Getting the inbound SPI
IPSEC DEBUG: Inbound SA (SPI 0x00000000) state change from inactive to embryonic
IPSEC: New embryonic SA created @ 0x00007f314aa48160,
SCB: 0x4A851930,
Direction: inbound
SPI : 0xA408878F
Session ID: 0x00028000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey ADD message
IPSEC: Creating IPsec SA
IPSEC: Adding the outbound SA, SPI: 0x08054576
IPSEC DEBUG: Outbound SA (SPI 0x08054576) state change from inactive to embryonic
IPSEC: New embryonic SA created @ 0x00007f314aa01430,
SCB: 0x4AA15580,
Direction: outbound
SPI : 0x08054576
Session ID: 0x00028000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Rule Lookup for local 172.16.2.0 to remote 192.168.113.0
PROXY MATCH on crypto map outside_map seq 1
IPSEC DEBUG: Using NP outbound permit rule for SPI 0x08054576
IPSEC: Completed host OBSA update, SPI 0x08054576
IPSEC: Creating outbound VPN context, SPI 0x08054576
Flags: 0x00000025
SA : 0x00007f314aa01430
SPI : 0x08054576
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00000000
SCB : 0x426E769D
Channel: 0x00007f3139ba14c0
IPSEC: Increment SA NP ref counter for outbound SPI 0x08054576, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:8216)
IPSEC: Completed outbound VPN context, SPI 0x08054576
VPN handle: 0x00000000008588a4
IPSEC: New outbound encrypt rule, SPI 0x08054576
Src addr: 172.16.2.0
Src mask: 255.255.255.0
Dst addr: 192.168.113.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for outbound SPI 0x08054576, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6773)
IPSEC: Completed outbound encrypt rule, SPI 0x08054576
Rule ID: 0x00007f314aa01c90
IPSEC: Decrement SA NP ref counter for outbound SPI 0x08054576, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5723)
IPSEC: New outbound permit rule, SPI 0x08054576
Src addr: 2.2.2.2
Src mask: 255.255.255.255
Dst addr: 1.1.1.1
Dst mask: 255.255.255.255
Src ports
Upper: 4500
Lower: 4500
Op : equal
Dst ports
Upper: 40634
Lower: 40634
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for outbound SPI 0x08054576, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6934)
IPSEC: Completed outbound permit rule, SPI 0x08054576
Rule ID: 0x00007f314aaaf4f0
IPSEC: Decrement SA NP ref counter for outbound SPI 0x08054576, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5723)
IPSEC: Decrement SA NP ref counter for outbound SPI 0x08054576, old value: 1, new value: 0, (ctm_np_vpn_context_cb:12531)
IPSEC: Increment SA HW ref counter for outbound SPI 0x08054576, old value: 0, new value: 1, (ctm_nlite_ipsec_create_hw_obsa:1230)
IPSEC: Received a PFKey message from IKE
IPSEC: Parsing PFKey UPDATE message
IPSEC: Creating IPsec SA
IPSEC: Updating the inbound SA, SPI: 0xA408878F
IPSEC: New embryonic SA created @ 0x00007f314aa48160,
SCB: 0x4A851930,
Direction: inbound
SPI : 0xA408878F
Session ID: 0x00028000
VPIF num : 0x00000002
Tunnel type: l2l
Protocol : esp
Lifetime : 240 seconds
Rule Lookup for local 172.16.2.0 to remote 192.168.113.0
PROXY MATCH on crypto map outside_map seq 1
IPSEC DEBUG: Using NP inbound permit rule for SPI 0xA408878F
IPSEC: Completed host IBSA update, SPI 0xA408878F
IPSEC: Creating inbound VPN context, SPI 0xA408878F
Flags: 0x00000026
SA : 0x00007f314aa48160
SPI : 0xA408878F
MTU : 0 bytes
VCID : 0x00000000
Peer : 0x008588A4
SCB : 0x426D6F6F
Channel: 0x00007f3139ba14c0
IPSEC: Increment SA NP ref counter for inbound SPI 0xA408878F, old value: 0, new value: 1, (ctm_ipsec_create_vpn_context:8149)
IPSEC: Completed inbound VPN context, SPI 0xA408878F
VPN handle: 0x0000000000044f0c
IPSEC: Updating outbound VPN context 0x008588A4, SPI 0x08054576
Flags: 0x00000025
SA : 0x00007f314aa01430
SPI : 0x08054576
MTU : 1500 bytes
VCID : 0x00000000
Peer : 0x00044F0C
SCB : 0x426E769D
Channel: 0x00007f3139ba14c0
IPSEC: Increment SA NP ref counter for outbound SPI 0x08054576, old value: 0, new value: 1, (ctm_ipsec_update_vpn_context:8345)
IPSEC: Completed outbound VPN context, SPI 0x08054576
VPN handle: 0x00000000008588a4
IPSEC: Completed outbound inner rule, SPI 0x08054576
Rule ID: 0x00007f314aa01c90
IPSEC: Completed outbound outer SPD rule, SPI 0x08054576
Rule ID: 0x00007f314aaaf4f0
IPSEC: Decrement SA NP ref counter for outbound SPI 0x08054576, old value: 1, new value: 0, (ctm_np_vpn_context_cb:12531)
IPSEC: New inbound tunnel flow rule, SPI 0xA408878F
Src addr: 192.168.113.0
Src mask: 255.255.255.0
Dst addr: 172.16.2.0
Dst mask: 255.255.255.0
Src ports
Upper: 0
Lower: 0
Op : ignore
Dst ports
Upper: 0
Lower: 0
Op : ignore
Protocol: 0
Use protocol: false
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for inbound SPI 0xA408878F, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6339)
IPSEC: Completed inbound tunnel flow rule, SPI 0xA408878F
Rule ID: 0x00007f314aa90e80
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA408878F, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5723)
IPSEC: New inbound decrypt rule, SPI 0xA408878F
Src addr: 1.1.1.1
Src mask: 255.255.255.255
Dst addr: 2.2.2.2
Dst mask: 255.255.255.255
Src ports
Upper: 40634
Lower: 40634
Op : equal
Dst ports
Upper: 4500
Lower: 4500
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for inbound SPI 0xA408878F, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6501)
IPSEC: Completed inbound decrypt rule, SPI 0xA408878F
Rule ID: 0x00007f314aa90f90
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA408878F, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5723)
IPSEC: New inbound permit rule, SPI 0xA408878F
Src addr: 1.1.1.1
Src mask: 255.255.255.255
Dst addr: 2.2.2.2
Dst mask: 255.255.255.255
Src ports
Upper: 40634
Lower: 40634
Op : equal
Dst ports
Upper: 4500
Lower: 4500
Op : equal
Protocol: 17
Use protocol: true
SPI: 0x00000000
Use SPI: false
IPSEC: Increment SA NP ref counter for inbound SPI 0xA408878F, old value: 1, new value: 2, (ctm_ipsec_create_acl_entry:6501)
IPSEC: Completed inbound permit rule, SPI 0xA408878F
Rule ID: 0x00007f314aaa1d80
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA408878F, old value: 2, new value: 1, (ctm_ipsec_create_acl_cb:5723)
IPSEC: Decrement SA NP ref counter for inbound SPI 0xA408878F, old value: 1, new value: 0, (ctm_np_vpn_context_cb:12531)
IPSEC: Increment SA HW ref counter for inbound SPI 0xA408878F, old value: 0, new value: 1, (ctm_nlite_ipsec_create_hw_ibsa:805)
IPSEC: Added SA to last received DB, SPI: 0xA408878F, user: 1.1.1.1, peer: 1.1.1.1, SessionID: 0x00028000
IPSEC DEBUG: Inbound SA (SPI 0xA408878F) state change from embryonic to active
IPSEC DEBUG: Outbound SA (SPI 0x08054576) state change from embryonic to active
-------------------------
packet tracer results:
packet-tracer input inside icmp 172.16.2.10 0 0 192.168.113.220
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 1.1.1.2 using egress ifc outside
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static EBOOTIS-INT EBOOTIS-EXT
Additional Information:
Static translate 172.16.2.10/0 to 1.1.1.30/0
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static EBOOTIS-INT EBOOTIS-EXT
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10593, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (inspect-icmp-seq-num-not-matched) ICMP Inspect seq num not matched
------------
Running Config:
sh run nat
nat (inside,outside) source static EBOOTIS-INT EBOOTIS-EXT
nat (inside,outside) source static FIREPOWER-INT FIREPOWER-EXT
nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp route-lookup
----------------
I think it's a nat problem but I can't fix it.
Solved! Go to Solution.
12-12-2017 03:09 AM
It seems packets are NATed incorrectly.
You should move the identity NAT for VPN into the first position.
no nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp route-lookup
nat 1 (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp route-lookup
12-12-2017 03:09 AM
It seems packets are NATed incorrectly.
You should move the identity NAT for VPN into the first position.
no nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp route-lookup
nat 1 (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp route-lookup
12-12-2017 03:33 AM
Hello Bogdan,
Thanks for the prompt reply.
I have tried to move the identity NAT for VPN into the first position.
nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arpBut unfortunately the problem still exists.
12-12-2017 03:40 AM
Hi Maher,
When you say you tried, does that mean that the identity NAT is the first now?
You can confirm with show runn nat.
Is the packet tracer still indicating a NAT translation to 1.1.1.30?
12-12-2017 03:53 AM
Hi again,
yes of course.
here it is:
sh run nat
nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp
nat (inside,outside) source static EBOOTIS-INT EBOOTIS-EXT
nat (inside,outside) source static FIREPOWER-INT FIREPOWER-EXT
!
nat (inside,outside) after-auto source dynamic any interface
12-12-2017 03:57 AM
NAT looks good now.
Can you run the packet tracer one more time and post the output?
packet-tracer input inside icmp 172.16.2.10 8 0 192.168.113.220
12-12-2017 04:02 AM
Seems better now
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.113.220/0 to 192.168.113.220/0
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp
Additional Information:
Static translate 172.16.2.10/0 to 172.16.2.10/0
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_172.16.2.0_24 NETWORK_OBJ_172.16.2.0_24 destination static NETWORK_OBJ_192.168.113.0_24 NETWORK_OBJ_192.168.113.0_24 no-proxy-arp
Additional Information:
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 11493, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
12-12-2017 04:29 AM
Yes, packet-tracer indicates that the packets are being sent over the VPN tunnel.
You should be able to see encrypted packets now, when running sh crypto ipsec sa.
12-12-2017 04:39 AM - edited 12-12-2017 04:59 AM
That's right!
sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1
access-list outside_cryptomap extended permit ip 172.16.2.0 255.255.255.0 192.168.113.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.113.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 450, #pkts encrypt: 450, #pkts digest: 450
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 450, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/4500, remote crypto endpt.: 2.2.2.2/40634
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 4A942B97
current inbound spi : 15A679D3
inbound esp sas:
spi: 0x15A679D3 (363231699)
SA State: active
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 44, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4193280/24679)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x4A942B97 (1251224471)
SA State: active
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 44, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4147177/24679)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
but still can't access the remote network nor the remote can access our local network.
Do you think a restart is needed?
12-12-2017 04:41 AM - edited 12-12-2017 06:27 AM
I noticed this:
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
Now this means the issue is on the Bintec.
12-12-2017 05:59 AM
Correct, the output you posted indicates the issue is now on the Bintec.
Considering the VPN tunnel is functional, the problem is usually with the routing or NAT config.