cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14269
Views
10
Helpful
4
Replies

Site-to-Site VPN Up but no traffic passing through

David Garcia
Level 1
Level 1

Hi, I have setup a Site-to-Site VPN between an ASA and a cisco Router (UC520). The tunnel is up, but no traffic is coming through, although on the ASA I'm seeing the counters for TX and RX increasing. Troubleshooting I found that the router has only pkts encaps but pkts decaps is 0. Does anyone have an idea about what could be happening? Both phase 1 and 2 completes without any problems and the ASA and router. See bellow the sh crypto ipsec sa from router and asa. Thanks, David.

ios version on router: 15.1(4)M5

ios version on asa: 9.1(3)

router#sh crypto ipsec sa

interface: FastEthernet0/0

    Crypto map tag: VPN-Tunnel, local addr 50.192.xyz.xyz

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.254.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)

   current_peer 50.73.xyz.xyz port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 398, #pkts encrypt: 398, #pkts digest: 398

   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 1, #recv errors 0

     local crypto endpt.: 50.192.xyz.xyz, remote crypto endpt.: 50.73.xyz.xyz

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x47161D35(1192631605)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 11, flow_id: Onboard VPN:11, sibling_flags 80000046, crypto map: VPN-Tunnel

        sa timing: remaining key lifetime (k/sec): (4493483/1797)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

    

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x6C62501D(1818382365)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 12, flow_id: Onboard VPN:12, sibling_flags 80000046, crypto map: VPN-Tunnel

        sa timing: remaining key lifetime (k/sec): (4493482/1797)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

asa#sh crypto ipsec sa

interface: outside

    Crypto map tag: outside_map, seq num: 2, local addr: 50.73.xyz.xyz

      access-list outside_cryptomap_1 extended permit ip 192.168.15.0 255.255.255.0 192.168.254.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.254.0/255.255.255.0/0/0)

      current_peer: 50.192.xyz.xyz

      #pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7

     #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 50.73.xyz.xyz/0, remote crypto endpt.: 50.192.xyz.xyz/0

      path mtu 1500, ipsec overhead 74(44), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: 47161D35

      current inbound spi : 6C62501D

    inbound esp sas:

      spi: 0x6C62501D (1818382365)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv1, }

         slot: 0, conn_id: 61440, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914999/1857)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x000000FF

    outbound esp sas:

      spi: 0x47161D35 (1192631605)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, IKEv1, }

         slot: 0, conn_id: 61440, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3914999/1857)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001