Re: site-to-site VPN not working properly.

shubhampatki1994 · ‎07-10-2021

we have a tunnel going towards AWS.

The hosts on the AWS side are not pinging.

the Tx counter keeps increasing but the Rx is 0.

show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : ************
Index : 1077 IP Addr : ************
Protocol : IKEv1 IPsecOverNatT
Encryption : IKEv1: (1)AES128 IPsecOverNatT: (1)AES128
Hashing : IKEv1: (1)SHA1 IPsecOverNatT: (1)SHA1
Bytes Tx : 13992 Bytes Rx : 0
Login Time : 00:04:58 UTC Sun Jul 11 2021
Duration : 0h:33m:58s

No change was made to the ASA side as per my knowledge. What might be the issue here?

Thanks in advance.

balaji.bandi · ‎07-10-2021

where is this output from ? RX end means, decryptor not working, Try to reset the tunnel and check ( as you mentioned it was working no change done)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

shubhampatki1994 · ‎07-10-2021

The output is taken from the ASA 5508 running 9.14(2)15. I tried to reset the tunnel using clear ipsec peer sa xxxxx. But it did not work.

Regards

balaji.bandi · ‎07-11-2021

have you done reset initiation on Both sides? when you reset the tunnel what was the logs ?

enable-debug and post the output (initiating the traffic from the allow ACL list IP)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎07-11-2021

@shubhampatki1994

If you have 2 IPSec SAs (inbound and outbound) and the encaps (tx) are increasing but no decaps (rx), then it's possible the far end is either not routing the return traffic over the VPN or the traffic is being natted unintentially.

Check the AWS configuration, confirm routing, nat etc, provide output for review.

From the ASA provide the output of "show crypto ipsec sa"