06-03-2011 08:13 AM
Dear all,
have a problem with my vpn configuration. When I setup the vpn the tunnel comes up without errors and I see incoming traffic from the remote site.
But I cannot send traffic to the remote site. Pls see my crypto ipsec sa for 192.168.5.0/24 Subnet.
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
I see that pkts decrypt but no pkts are encrypt. And it is only one subnet(192.168.5.0/24) that is not working when I use another its working without problems.
I have other 30 vpn tunnel to other remote site and they working without any problems.
Have someone an idea? Many thanks for feedback!
Brgds Markus
06-03-2011 08:42 AM
the most common thing for this problem is:
1 - This traffic is being NATed before going to outside interface.
2 - There is one crypto map, with a lower squence number that has the same traffic selection being matched before this one.
rate if it helps.
06-05-2011 09:51 PM
Hi Markus,
Well, it could be a lot of things, routing, NAT, overlapping traffic with another tunnel, duplicate ASP entries, etc
To find that out a good idea is to run a packet-tracer for the affected traffic:
packet-tracer input
*the interface name will be the interface that you use to reach that specific LOCAL subnet; X.X.X.X will be an IP on that LOCAL subnet, use a different IP than the interface IP; Y.Y.Y.Y will be a REMOTE IP.
Check this discussion for your reference:
https://supportforums.cisco.com/message/3371092#3371092
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide