12-03-2012 02:08 AM
Hi I just upgraded my ASA5510 from IOS 8.25 to 8.42
Everything is running fine apart from one VPN between ASA5510 and cisco 887V router.
The VPN session is up but no data traffic is being passed through The tunnel although this VPN was working fine with old IOS.
The tunnel is up but no data is passing through IKEV1 session.
Can anyone please help me urgently?
Thanks
Mahmood
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.12.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
current_peer xxxxxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 0.0.0.0, remote crypto endpt.: 94.xxxxxxx
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.12.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.17.0.0/255.255.0.0/0/0)
current_peer 94.xxxxxx6 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 0.0.0.0, remote crypto endpt.: 94.xxxxxx p
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
12-06-2012 03:56 AM
This would require a normal troubleshooting from the beginning. Please answer following questions:
1.) Is the tunnel up on both ends, ASA as well as router in both phases?
2.) Since IPSEC SA on ASA is not showing on any increase in encrypted packets, so can you check if anything is getting dropped in ASP drops or if traffic is entering any other VPN tunnel. You can trace the packet normally using packet tracer as well.
3.) Similarly check on remote end whether on encryption is happening and if that encrypted packet is reaching ASA or not?
4.) Have you tried clearing tunnel and establishing it again.
5.) If yes, then I would need proper debugs of isakmp and ipsec from ASA of atleast 200 level to debug further...
Ideally, the aforementioned steps should corner the issue.
Regards,
Anuj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide