07-10-2021 04:13 PM - edited 07-10-2021 04:22 PM
we have a tunnel going towards AWS.
The hosts on the AWS side are not pinging.
the Tx counter keeps increasing but the Rx is 0.
show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : ************
Index : 1077 IP Addr : ************
Protocol : IKEv1 IPsecOverNatT
Encryption : IKEv1: (1)AES128 IPsecOverNatT: (1)AES128
Hashing : IKEv1: (1)SHA1 IPsecOverNatT: (1)SHA1
Bytes Tx : 13992 Bytes Rx : 0
Login Time : 00:04:58 UTC Sun Jul 11 2021
Duration : 0h:33m:58s
No change was made to the ASA side as per my knowledge. What might be the issue here?
Thanks in advance.
07-10-2021 04:23 PM
where is this output from ? RX end means, decryptor not working, Try to reset the tunnel and check ( as you mentioned it was working no change done)
07-10-2021 04:25 PM - edited 07-10-2021 04:26 PM
The output is taken from the ASA 5508 running 9.14(2)15. I tried to reset the tunnel using clear ipsec peer sa xxxxx. But it did not work.
Regards
07-11-2021 12:24 AM
have you done reset initiation on Both sides? when you reset the tunnel what was the logs ?
enable-debug and post the output (initiating the traffic from the allow ACL list IP)
07-11-2021 11:23 AM
If you have 2 IPSec SAs (inbound and outbound) and the encaps (tx) are increasing but no decaps (rx), then it's possible the far end is either not routing the return traffic over the VPN or the traffic is being natted unintentially.
Check the AWS configuration, confirm routing, nat etc, provide output for review.
From the ASA provide the output of "show crypto ipsec sa"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide