Re: Site-to-Site VPN Up but no traffic passing through

David Garcia · ‎12-04-2013

Hi, I have setup a Site-to-Site VPN between an ASA and a cisco Router (UC520). The tunnel is up, but no traffic is coming through, although on the ASA I'm seeing the counters for TX and RX increasing. Troubleshooting I found that the router has only pkts encaps but pkts decaps is 0. Does anyone have an idea about what could be happening? Both phase 1 and 2 completes without any problems and the ASA and router. See bellow the sh crypto ipsec sa from router and asa. Thanks, David.

ios version on router: 15.1(4)M5

ios version on asa: 9.1(3)

router#sh crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: VPN-Tunnel, local addr 50.192.xyz.xyz

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.254.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)

current_peer 50.73.xyz.xyz port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 398, #pkts encrypt: 398, #pkts digest: 398

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 50.192.xyz.xyz, remote crypto endpt.: 50.73.xyz.xyz

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x47161D35(1192631605)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 11, flow_id: Onboard VPN:11, sibling_flags 80000046, crypto map: VPN-Tunnel

sa timing: remaining key lifetime (k/sec): (4493483/1797)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x6C62501D(1818382365)

transform: esp-256-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 12, flow_id: Onboard VPN:12, sibling_flags 80000046, crypto map: VPN-Tunnel

sa timing: remaining key lifetime (k/sec): (4493482/1797)

IV size: 16 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

asa#sh crypto ipsec sa

interface: outside

Crypto map tag: outside_map, seq num: 2, local addr: 50.73.xyz.xyz

access-list outside_cryptomap_1 extended permit ip 192.168.15.0 255.255.255.0 192.168.254.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.254.0/255.255.255.0/0/0)

current_peer: 50.192.xyz.xyz

#pkts encaps: 7, #pkts encrypt: 7, #pkts digest: 7

#pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 7, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 50.73.xyz.xyz/0, remote crypto endpt.: 50.192.xyz.xyz/0

path mtu 1500, ipsec overhead 74(44), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: 47161D35

current inbound spi : 6C62501D

inbound esp sas:

spi: 0x6C62501D (1818382365)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, IKEv1, }

slot: 0, conn_id: 61440, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3914999/1857)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x000000FF

outbound esp sas:

spi: 0x47161D35 (1192631605)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, IKEv1, }

slot: 0, conn_id: 61440, crypto-map: outside_map

sa timing: remaining key lifetime (kB/sec): (3914999/1857)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

David Garcia · ‎12-04-2013

UPDATE: I just confirmed that the traffic is getting to a host in one side of the tunnel (behind ASA). I installed wireshark and I was able to capture the traffic comming from the the other network. But the reply is not getting to the router. See bellow:

ERB-UC520-02#sh crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, T - cTCP encapsulation

X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/0

Uptime: 00:00:19

Session status: UP-ACTIVE

Peer: 50.73.*.* port 500 fvrf: (none) ivrf: (none)

Phase1_id: 50.73.*.*

Desc: (none)

IKEv1 SA: local 50.192.*.*/500 remote 50.73.*.*/500 Active

Capabilities:(none) connid:2007 lifetime:23:59:40

IPSEC FLOW: permit ip 192.168.254.0/255.255.255.0 192.168.15.0/255.255.255.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4405285/3580

Outbound: #pkts enc'ed 17 drop 2 life (KB/Sec) 4405284/3580

David Garcia · ‎12-04-2013

UPDATE: I solved this issue. The router by default allowed any connections to the port UDP 500 used for setting up the tunnel. But then when the traffic needed to enter using IPSec that uses ESP (protocol 50) the router blocked that connection and no traffic could get in. So what I did was to add both access lists and the tunnel started to work.

Hope this can help someone with a similar issue.

David

aditya_pujari · ‎05-09-2018

To confirm, does the router allow UDP port 500 only by default?

Rob Ingram · ‎05-09-2018

By default a router would permit everything, unless it has specifically been configured with an ACL to lock down to certain protocols/ports.