Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
382
Views
0
Helpful
1
Replies

TCP connect doesn't establish through IPSEC tunnel

MaximBudyonny
Level 1
Level 1

‎06-13-2007 03:11 AM - edited ‎02-21-2020 03:06 PM

I have IPSEC tunnel mode between router R1 and router R2.

Crypto session is UP. (sh crypto se)

But when I want to establish TCP connection (e.g. telnet 172.23.250.13 5023) from router R1 inside network to router R2 inside network session doesn't create.

R2

====

R2#sh crypto session detail | s 172.23.250.13

IPSEC FLOW: permit 6 host 172.23.250.13 port 5023 0.0.0.0/0.0.0.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 2 drop 0 life (KB/Sec) 4413690/286

Outbound: #pkts enc'ed 3 drop 0 life (KB/Sec) 4413690/286

R1

====

R1#sh crypto session detail | s 172.23.250.13

IPSEC FLOW: permit 6 0.0.0.0/0.0.0.0 host 172.23.250.13 port 5023

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 4509190/281

Outbound: #pkts enc'ed 2 drop 1 life (KB/Sec) 4509189/281

On another words, encrypted packets were sent by R2 but were not delivered to R1.

What's going wrong?

crypto ACLs on R1 and R2 are mirrored.

R2:

permit tcp host 172.23.250.13 eq 5023 any

R1:

permit tcp any host 172.23.250.13 eq 5023

and command (sh access-l) shows that traffic was matched on R1 and R2.

P.S. Without IPSEC TCP session can be established, so it's not routing or something else.

Labels:
0 Helpful
1 Reply 1

wong34539
Level 6
Level 6

‎06-20-2007 07:34 AM

most common reasons is if a router, PIX Firewall, ASA or VPN Concentrator loses dead peer detection (DPD) keepalives on the path.

DPDs are used in order to verify if the remote peer still answers, because it is unsafe to keep a connection active if the remote device is dead. To a device that loses these packets, it means that the peer no longer responds to ACK for DPD, and therefore, is not reachable.

The Internet Key Exchange (IKE) keepalive packets are sent every 10 seconds, by default. Once three packets are missed, an IPsec termination point concludes that it has lost connectivity with its peer.

In order to resolve this issue, issue the crypto isakmp keepalive command on the Router. This allows the gateway to send DPD messages to the peer.

0 Helpful
Customers Also Viewed These Support Documents