04-23-2024 11:39 PM
Hi, I am currently encountering issue on route-based ipsec vpn. I cannot ping my remote IP also the remote tunnel. I have verified that there is no decap showing on packets. I already configured static route between each site and still unsucessful of connectivity.
Crypto map tag: __vti-crypto-map-9-0-10, seq num: 65280, local addr: xxx.xxx.xxx.xxx
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: xxx.xxx.xxx.xxx
#pkts encaps: 1183, #pkts encrypt: 1183, #pkts digest: 1183
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1183, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxx.xxx.xxx.xxx/0, remote crypto endpt.: xxx.xxx.xxx.xxx/0
path mtu 1492, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: E2D1DD20
current inbound spi : 069A90C5
But when I do packet tracer. It is showing allowed on the lan side.
packet-tracer input lan icmp 192.168.0.131 8 0 192.100.12.1
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.2 using egress ifc Site_B
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 340117277, packet dispatched to next module
Result:
input-interface: lan
input-status: up
input-line-status: up
output-interface: Site_B
output-status: up
output-line-status: up
Action: allow
04-26-2024 06:14 PM
Hi @tvotna , I actually ran the packet tracer and its showing Drop. Does that mean the ISP is blocking ESP? If in case then I will contact my ISP to verify this issue.
SITE_A# packet-tracer input outside icmp 192.168.0.13 8 0 192.100.12.1 decrypted
*********************************************************************
WARNING: An existing decryption SA was not found. Please confirm the
IPsec Phase 2 SA or Anyconnect Tunnel is established.
*********************************************************************
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.2 using egress ifc Site_B
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: Site_B
output-status: up
output-line-status: up
Action: drop
Drop-reason: (vpn-context-expired) Expired VPN context
04-26-2024 11:06 PM
Hi @John Bautista as both myself and @tvotna said to check if ESP is dropped, by taking a packet capture on both sides to confirm if ESP packets are sent and received.
04-24-2024 01:38 AM
Can share tunnel config
04-26-2024 12:05 PM
any update ?
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide