10-08-2019 08:04 AM
I have two ASAs running a site-to-site vpn. I can see the tunnel is up at both locations. On one side, I can see encaps and decaps packets but on the other it only has decap packets. I have a continuous ping running on both sides but now it seems like only the decap packets are increasing. I've rebuilt the tunnel multiple times trying different things but can't figure out where the problem is.
Any help would be appreciated.
Side A
Show crypto ipsec sa
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: X.X.4.X
local ident (addr/mask/prot/port): (1.4.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (XXXX/255.255.128.0/0/0)
current_peer: X.X.5.X
#pkts encaps: 74, #pkts encrypt: 74, #pkts digest: 74
#pkts decaps: 810, #pkts decrypt: 810, #pkts verify: 810
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 74, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: X.X.4.X/500, remote crypto endpt.: X.X.5.X/30194
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: DACEC904
current inbound spi : 3F7EFFAE
inbound esp sas:
spi: 0x3F7EFFAE (1065287598)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 14336000, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4239307/26412)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xDACEC904 (3670984964)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 14336000, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4193275/26412)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Side B
sh cryp ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: X.4.X.X
access-list outside_cryptomap_3 extended permit ip 1.X.X.X 255.255.128.0 X.4.X.X 255.255.0.0
local ident (addr/mask/prot/port): (1.X.X.X/255.255.128.0/0/0)
remote ident (addr/mask/prot/port): (XXXX/255.255.0.0/0/0)
current_peer: X.X.4.X
#pkts encaps: 941, #pkts encrypt: 941, #pkts digest: 941
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 941, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: X.4.X.X/500, remote crypto endpt.: X.2.X.X/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 3F7EFFAE
current inbound spi : DACEC904
inbound esp sas:
spi: 0xDACEC904 (3670984964)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 1409024, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4239360/26224)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x3F7EFFAE (1065287598)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 1409024, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4008897/26224)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
10-08-2019 02:52 PM
This could be any number of things. Might be a routing issue at site A back to site B, or it might be a mismatch in the crypto ACLs, or it might even be a mismatch in the lifetime.
If you are 100% sure that the VPN configuration between the two sites are correct then start with checking routing. If you are only testing with ping, and if you are testing a windows machine, make sure that window firewall is turned off or at the very least allows ICMP.
If you have another firewall between the VPN ASA and the host you are pinging, make sure traffic is permitted in the core firewall, and that routing is also correct there.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide