vpn only incoming traffic

MaDe · ‎06-03-2011

Dear all,

have a problem with my vpn configuration. When I setup the vpn the tunnel comes up without errors and I see incoming traffic from the remote site.

But I cannot send traffic to the remote site. Pls see my crypto ipsec sa for 192.168.5.0/24 Subnet.

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 12, #pkts decrypt: 12, #pkts verify: 12
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

I see that pkts decrypt but no pkts are encrypt. And it is only one subnet(192.168.5.0/24) that is not working when I use another its working without problems.

I have other 30 vpn tunnel to other remote site and they working without any problems.

Have someone an idea? Many thanks for feedback!

Brgds Markus

guibarati · ‎06-03-2011

the most common thing for this problem is:

1 - This traffic is being NATed before going to outside interface.

2 - There is one crypto map, with a lower squence number that has the same traffic selection being matched before this one.

rate if it helps.

Gustavo Medina · ‎06-05-2011

Hi Markus,

Well, it could be a lot of things, routing, NAT, overlapping traffic with another tunnel, duplicate ASP entries, etc

To find that out a good idea is to run a packet-tracer for the affected traffic:

packet-tracer input icmp X.X.X.X 8 0 Y.Y.Y.Y det

*the interface name will be the interface that you use to reach that specific LOCAL subnet; X.X.X.X will be an IP on that LOCAL subnet, use a different IP than the interface IP; Y.Y.Y.Y will be a REMOTE IP.

Check this discussion for your reference:

https://supportforums.cisco.com/message/3371092#3371092

Regards