cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3767
Views
0
Helpful
2
Replies

Site-to-site VPN not working tunnel is up but no decaps

G4stechno
Level 1
Level 1

Hi,

I've created a site to site VPN from Cisco ASA (ios version 9.0.2) to a Juniper firewall.

The tunnel is showing as up in the ASDM but I cant ping anything on the local network from the remote site.

10.50.0.0/22(local LAN) ==>internet <==10.234.0.0/22 (Remote LAN)

I did some troubelshooting and here are the results

Result of the command: "show crypto isakmp sa"

IKEv1 SAs:

   Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 89.xxx.xxx.155

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

Result of the command: "show crypto ipsec sa"

interface: outside

    Crypto map tag: outside_map, seq num: 1, local addr: 200.xxx.xxx.212

      access-list outside_cryptomap extended permit ip 10.50.0.0 255.255.252.0 10.234.0.0 255.255.252.0

      local ident (addr/mask/prot/port): (10.50.0.0/255.255.252.0/0/0)

      remote ident (addr/mask/prot/port): (10.234.0.0/255.255.252.0/0/0)

      current_peer: 89.xxx.xxx.155

      #pkts encaps: 148, #pkts encrypt: 148, #pkts digest: 148

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 148, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 200.xxx.xxx.212/0, remote crypto endpt.: 89.xxx.xxx.155/0

      path mtu 1500, ipsec overhead 74(44), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: FCCEF723

      current inbound spi : 4871A247

    inbound esp sas:

      spi: 0x4871A247 (1215406663)

         transform: esp-aes esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }

         slot: 0, conn_id: 28672, crypto-map: outside_map

         sa timing: remaining key lifetime (sec): 2784

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0xFCCEF723 (4241422115)

         transform: esp-aes esp-md5-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }

         slot: 0, conn_id: 28672, crypto-map: outside_map

         sa timing: remaining key lifetime (sec): 2784

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

Result of the command: "show run crypto"

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 89.xxx.xxx.155

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set reverse-route

crypto map outside_map interface outside

crypto ca trustpool policy

crypto isakmp nat-traversal 30

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto ikev1 policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

Result of the command: "show run nat"

nat (inside,outside) source static NETWORK_OBJ_10.50.0.0_22 NETWORK_OBJ_10.50.0.0_22 destination static NETWORK_OBJ_10.234.0.0_22 NETWORK_OBJ_10.234.0.0_22 no-proxy-arp route-lookup

!

nat (inside,outside) after-auto source dynamic Sao_Palo_LAN interface

Result of the command: "show run object network"

object network LAN

subnet 172.18.1.0 255.255.255.0

description Rede de Araras

object network ALGAR_IP

host 189.39.10.100

description IP da Algar

object network Sao_Palo_LAN

subnet 10.50.0.0 255.255.252.0

object network Tewkesbury_LAN

subnet 10.234.0.0 255.255.252.0

description Tewkesbury LAN

object network Tewkesbury_Public

host 89.xxx.xxx.155

object network Faebook1

subnet 173.252.64.0 255.255.192.0

object network Faebook2

subnet 204.15.20.0 255.255.252.0

object network Faebook3

subnet 66.220.144.0 255.255.240.0

object network Faebook4

subnet 69.171.224.0 255.255.224.0

object network Faebook5

subnet 69.63.176.0 255.255.240.0

object network Faebook6

subnet 74.119.76.0 255.255.252.0

object network NETWORK_OBJ_10.50.0.0_22

subnet 10.50.0.0 255.255.252.0

object network NETWORK_OBJ_10.234.0.0_22

subnet 10.234.0.0 255.255.252.0

2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

From the fact that there are IPSec SAs it would indicate that the crypto negotiation was successful. It shows that you are sending traffic over the tunnel but not receiving traffic. I would suggest checking on the Juniper for possible mismatches. I would check in particular that their traffic selector matches your crypto access list and check that they are not translating the traffic that will come over the VPN tunnel.

HTH

Rick

HTH

Rick

sahseth
Level 1
Level 1

Hello,

Please share Isakmp and IPSEC Debug logs, Also check  reverse route from receiver endpoint that its sending reply packets on  same interface from where its receiving.

Thanks,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: