Hi, I have setup a Site-to-Site VPN between an ASA and a cisco Router (UC520). The tunnel is up, but no traffic is coming through, although on the ASA I'm seeing the counters for TX and RX increasing. Troubleshooting I found that the router has only pkts encaps but pkts decaps is 0. Does anyone have an idea about what could be happening? Both phase 1 and 2 completes without any problems and the ASA and router. See bellow the sh crypto ipsec sa from router and asa. Thanks, David.
ios version on router: 15.1(4)M5
ios version on asa: 9.1(3)
router#sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: VPN-Tunnel, local addr 50.192.xyz.xyz
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.254.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)
current_peer 50.73.xyz.xyz port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 398, #pkts encrypt: 398, #pkts digest: 398
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 50.192.xyz.xyz, remote crypto endpt.: 50.73.xyz.xyz
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x47161D35(1192631605)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 11, flow_id: Onboard VPN:11, sibling_flags 80000046, crypto map: VPN-Tunnel
sa timing: remaining key lifetime (k/sec): (4493483/1797)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6C62501D(1818382365)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 12, flow_id: Onboard VPN:12, sibling_flags 80000046, crypto map: VPN-Tunnel
sa timing: remaining key lifetime (k/sec): (4493482/1797)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
asa#sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 2, local addr: 50.73.xyz.xyz
access-list outside_cryptomap_1 extended permit ip 192.168.15.0 255.255.255.0 192.168.254.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.254.0/255.255.255.0/0/0)
current_peer: 50.192.xyz.xyz
#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7
#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 50.73.xyz.xyz/0, remote crypto endpt.: 50.192.xyz.xyz/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 47161D35
current inbound spi : 6C62501D
inbound esp sas:
spi: 0x6C62501D (1818382365)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 61440, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/1857)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000000FF
outbound esp sas:
spi: 0x47161D35 (1192631605)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 61440, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/1857)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001