IPSEC l2l connection up but MTU sizes are different and no access to server

Unanswered Question
Feb 20th, 2007

Hi,

Our other office just moved and we setup a the new VPN l2l connection for the new office with two PIX 515e hardware. I am run PIX 7.0(4). when I run show crypto ipsec sa, I see it is up, but I can not reach the servers on the other side. We did notice the remote office's MTU size is 1400 only for the VPN connection, whil the interface is set to 1500. Could that be issues? I also check the crypto match access list and counters are incrementing.

show access-list XO_cryptomap_40_1

access-list XO_cryptomap_40_1; 3 elements

access-list XO_cryptomap_40_1 line 1

access-list XO_cryptomap_40_1 line 2 extended permit ip 10.13.36.0 255.255.254.0 10.2.0.0 255.255.192.0 (hitcnt=47)

access-list XO_cryptomap_40_1 line 3

access-list XO_cryptomap_40_1 line 4 extended permit ip 172.16.1.0 255.255.255.0 10.2.0.0 255.255.192.0 (hitcnt=15)

access-list XO_cryptomap_40_1 line 5

access-list XO_cryptomap_40_1 line 6 extended permit ip 172.16.2.0 255.255.255.0 10.2.0.0 255.255.192.0 (hitcnt=0)

PIX-FW# show crypto ipsec sa

interface: XO

Crypto map tag: XO_map, seq num: 40, local addr: XX.XX.XX.XX

access-list XO_cryptomap_40_1 permit ip 172.16.1.0 255.255.255.0 10.2.0.0 255.255.192.0

local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.2.0.0/255.255.192.0/0/0)

current_peer: XX.XX.XX.XX

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 17, #pkts decrypt: 17, #pkts verify: 17

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: xx.xx.xx.xx

path mtu 1500, ipsec overhead 60, media mtu 1500

current outbound spi: XXXXX

inbound esp sas:

spi: 0xXXXXXX (XXXXXXXXXX)

transform: esp-3des esp-md5-hmac

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 12, crypto-map: XO_map

sa timing: remaining key lifetime (kB/sec): (3824999/1367)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xXXXXXXXX (xxxxxxxxx)

transform: esp-3des esp-md5-hmac

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 12, crypto-map: XO_map

sa timing: remaining key lifetime (kB/sec): (3825000/1365)

IV size: 8 bytes

replay detection support: Y

Crypto map tag: XO_map, seq num: 40, local addr: XX.XX.XX.XX

access-list XO_cryptomap_40_1 permit ip 10.13.36.0 255.255.254.0 10.2.0.0 255.255.192.0

local ident (addr/mask/prot/port): (10.13.36.0/255.255.254.0/0/0)

remote ident (addr/mask/prot/port): (10.2.0.0/255.255.192.0/0/0)

current_peer: XX.XX.XX.XX

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: XX.XX.XX.XX, remote crypto endpt.: XX.XX.XX.XX path mtu 1500, ipsec overhead 60, media mtu 1500

current outbound spi: XXXXXXX

inbound esp sas:

spi: 0xDXXXXXXX (XXXXXXXXX)

transform: esp-3des esp-md5-hmac

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 12, crypto-map: XO_map

sa timing: remaining key lifetime (kB/sec): (3824999/2218)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x3XXXXXXX (XXXXXXXXXXX)

transform: esp-3des esp-md5-hmac

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 12, crypto-map: XO_map

sa timing: remaining key lifetime (kB/sec): (3825000/2218)

IV size: 8 bytes

replay detection support: Y

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mrkaprino Tue, 02/20/2007 - 07:44

Also the show ipsec stats show that the inbound and outbound data is incrementing as well. Any help would be greatly appreciated.

Thanks,

Kap

show ipsec stats

IPsec Global Statistics

-----------------------

Active tunnels: 1

Previous tunnels: 371

Inbound

Bytes: 832734215

Decompressed bytes: 832734215

Packets: 6338989

Dropped packets: 7

Replay failures: 0

Authentications: 6338982

Authentication failures: 7

Decryptions: 6338982

Decryption failures: 0

Outbound

Bytes: 1651752913

Uncompressed bytes: 1651752913

Packets: 8060482

Dropped packets: 0

Authentications: 8060482

Authentication failures: 0

Encryptions: 8060482

Encryption failures: 0

Protocol failures: 0

Missing SA failures: 0

System capacity failures: 0

Mrkaprino Tue, 02/20/2007 - 09:09

Acutally on hte inbound data is incremteenting, I am not able to get any outbound data incrementing.

Mrkaprino Tue, 02/20/2007 - 12:48

nevemind we resolve the issue, seems like there is a conflict from the XO_map 40 and another XO_map 20. Why is that the case, since they each have been assigned to a diffrent peer ?

Anywa i remove XXO-map20 completey and it resolve all my VPN issues.

Actions

This Discussion