Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
0
Helpful
1
Replies

VPN tunnel looks like it's up but not passing traffic

jf1134
Level 1
Level 1

‎10-08-2019 08:04 AM

I have two ASAs running a site-to-site vpn. I can see the tunnel is up at both locations. On one side, I can see encaps and decaps packets but on the other it only has decap packets. I have a continuous ping running on both sides but now it seems like only the decap packets are increasing. I've rebuilt the tunnel multiple times trying different things but can't figure out where the problem is.

 

Any help would be appreciated.

 

Side A

Show crypto ipsec sa
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: X.X.4.X

local ident (addr/mask/prot/port): (1.4.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (XXXX/255.255.128.0/0/0)
current_peer: X.X.5.X


#pkts encaps: 74, #pkts encrypt: 74, #pkts digest: 74
#pkts decaps: 810, #pkts decrypt: 810, #pkts verify: 810
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 74, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: X.X.4.X/500, remote crypto endpt.: X.X.5.X/30194
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: DACEC904
current inbound spi : 3F7EFFAE

inbound esp sas:
spi: 0x3F7EFFAE (1065287598)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 14336000, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4239307/26412)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xDACEC904 (3670984964)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 14336000, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (kB/sec): (4193275/26412)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

 

Side B

sh cryp ipsec sa

interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: X.4.X.X

access-list outside_cryptomap_3 extended permit ip 1.X.X.X 255.255.128.0 X.4.X.X 255.255.0.0
local ident (addr/mask/prot/port): (1.X.X.X/255.255.128.0/0/0)
remote ident (addr/mask/prot/port): (XXXX/255.255.0.0/0/0)
current_peer: X.X.4.X


#pkts encaps: 941, #pkts encrypt: 941, #pkts digest: 941
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 941, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: X.4.X.X/500, remote crypto endpt.: X.2.X.X/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 3F7EFFAE
current inbound spi : DACEC904

inbound esp sas:
spi: 0xDACEC904 (3670984964)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 1409024, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4239360/26224)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x3F7EFFAE (1065287598)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 1409024, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4008897/26224)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Labels:
0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎10-08-2019 02:52 PM

This could be any number of things.  Might be a routing issue at site A back to site B, or it might be a mismatch in the crypto ACLs, or it might even be a mismatch in the lifetime.  

If you are 100% sure that the VPN configuration between the two sites are correct then start with checking routing.  If you are only testing with ping, and if you are testing a windows machine, make sure that window firewall is turned off or at the very least allows ICMP.

If you have another firewall between the VPN ASA and the host you are pinging, make sure traffic is permitted in the core firewall, and that routing is also correct there.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents