Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6471
Views
5
Helpful
2
Replies

VPN between ASA with tx 0 byte or few byte

Go to solution
Fidel Ernesto Gonzalez Baez
Level 1
Level 1

‎02-28-2017 07:37 AM

Hi, 

I  have configured  a vpn site to site between two ASA, the VPN is up  but i dont have ping between the inside network  (Protected  networks)

I reloaded the Ikev1 and ipsec service and the problem continue, i modify the ipsec paramenters without luck. i reload one of the ASA and same result. 

The ASA that can transmit any packet has other 3 vpn up and running, the other peer is a new implementation. 

any idea?

Br, 

Fidel gonzalez

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
josh.bresaw
Level 1
Level 1

‎02-28-2017 08:06 AM

Hi Fidel,  when L2L IPsec tunnels don't work, it usually is a problem with 1 of 3 things.

1. Crypto mechanics

2. Routing

3. NAT

You say the "VPN is up" so I'll take that to mean your crypto mechanics are good but please verify you have good phase 1 and 2 SA's established by the output of.

1. show crypto isakmp sa (or show crypto ikev1 sa)

2. show crypto ipsec sa

If both of those show established SA's then direct your attention to this part of the output of 'show crypto ipsec sa'.

example: #pkts encaps: 7260, #pkts encrypt: 7260, #pkts digest: 7260
                #pkts decaps: 8698, #pkts decrypt: 8698, #pkts verify: 8698

This will tell you a lot about which side(s) has the issue.  If you have zero encaps and zero decaps on both ASA's then likely you have some work to do on both ASA's.  If you have 1 ASA that has some encaps incrementing and the other ASA has decaps incrementing, then focus your efforts on the ASA that has the decaps incrementing.  It means that ASA is receiving IPsec encapsulated traffic but not sending anything back. (Almost ALWAYS a routing or NAT problem)

This is where you'll need to examine your NAT and routing to ensure they are correct.

Without posting your entire config and topology these are difficult to advise on.

What I've tried to do here is give you some direction on how to troubleshoot this on your own.

Also, make heavy use of the tool packet-tracer when troubleshooting VPN's, it can sometimes shed some light 

View solution in original post

2 Replies 2

Go to solution
josh.bresaw
Level 1
Level 1

‎02-28-2017 08:06 AM

Hi Fidel,  when L2L IPsec tunnels don't work, it usually is a problem with 1 of 3 things.

1. Crypto mechanics

2. Routing

3. NAT

You say the "VPN is up" so I'll take that to mean your crypto mechanics are good but please verify you have good phase 1 and 2 SA's established by the output of.

1. show crypto isakmp sa (or show crypto ikev1 sa)

2. show crypto ipsec sa

If both of those show established SA's then direct your attention to this part of the output of 'show crypto ipsec sa'.

example: #pkts encaps: 7260, #pkts encrypt: 7260, #pkts digest: 7260
                #pkts decaps: 8698, #pkts decrypt: 8698, #pkts verify: 8698

This will tell you a lot about which side(s) has the issue.  If you have zero encaps and zero decaps on both ASA's then likely you have some work to do on both ASA's.  If you have 1 ASA that has some encaps incrementing and the other ASA has decaps incrementing, then focus your efforts on the ASA that has the decaps incrementing.  It means that ASA is receiving IPsec encapsulated traffic but not sending anything back. (Almost ALWAYS a routing or NAT problem)

This is where you'll need to examine your NAT and routing to ensure they are correct.

Without posting your entire config and topology these are difficult to advise on.

What I've tried to do here is give you some direction on how to troubleshoot this on your own.

Also, make heavy use of the tool packet-tracer when troubleshooting VPN's, it can sometimes shed some light 

Go to solution
Fidel Ernesto Gonzalez Baez
Level 1
Level 1

‎03-01-2017 12:19 AM

Thanks for the help, your information was important to fix the problem, i had a nat problem in my configuration, thank you very much.

Br, 

Fidel Gonzalez

0 Helpful
Customers Also Viewed These Support Documents