Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
572
Views
0
Helpful
3
Replies

IPSec Site-to-site VPN ASA Tunnel OK but VPN PHASE DROP and NO BYTE RX

miky_506
Level 1
Level 1

‎01-06-2018 06:14 AM - edited ‎03-12-2019 04:53 AM

Hello everyone,

 

I have an urgent problem with a site-to-site VPN configuration. The channel is UP, phase 1 (IKEV1) and phase 2 (Ipsec) are OK, I can see the connection with Cisco ASDM in the Monitoring section but unfortunately, doing an IP packet tracer I get DROP in the VPN phase, although the tunnel is activated correctly.

Making a telnet to the destination internal IP does not succeed, but I see the TX bytes increases, but those RX remain at 0.

 

Please can you help me? what is missing? I have a Cisco ASA V.9.5 (ASA 5506)

My sh crypto isakmp sa:


fw-plabs(config)# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 62.97.2.6
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs

 

MY SH CRYPTO IPSEC SA

 

fw-plabs(config)# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 88.63.105.66

access-list outside_cryptomap_2 extended permit ip 172.16.45.0 255.255.255 .0 10.209.21.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.45.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.209.21.0/255.255.255.0/0/0)
current_peer: 62.97.2.6


#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 88.63.105.66/0, remote crypto endpt.: 62.97.2.6/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CD487401
current inbound spi : 98EF46B9

inbound esp sas:
spi: 0x98EF46B9 (2565818041)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 352256, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/27745)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xCD487401 (3444077569)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 352256, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373999/27745)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

 

 

thanks a lot.

Regards

 

Miky_506

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-06-2018 06:23 AM

Duplicate post. Please post a given question in one forum only.

 

https://supportforums.cisco.com/t5/firewalling/ipsec-site-to-site-asa-tunnel-ok-but-no-byte-rx-and-phase-vpn/m-p/3307160#M165280

0 Helpful

miky_506
Level 1
Level 1
In response to Marvin Rhoads

‎01-06-2018 06:30 AM

YES
I post first in the bad section, now in the correct section named VPN. I will remove the post in the bad section

Thanks.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to miky_506

‎01-06-2018 06:34 AM

It's OK - I moved the other post for you since I had already replied to it.

 

You can always relocate your own posts - just click the three dots in the top right of the post.

0 Helpful
Customers Also Viewed These Support Documents