Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
291
Views
0
Helpful
3
Replies

VPN clients cannot access inside network

kenzummach
Level 1
Level 1

‎11-11-2008 09:19 AM - edited ‎02-21-2020 03:05 AM

I have a ASA 5505 that I am using as a VPN appliance. The outside interface is connected to the DMZ (172.16.2.10) and the inside to our internal network (10.27.1.12). VPN clients are assigned an address in the range 10.27.2.2-10.27.2.20. A 1841 is the router and firewall for the network. Recently the ASA lost power when a UPS went down and now VPN clients can no longer access anything on the inside network. Config is attached. Help.

Preview file
4 KB
0 Helpful
3 Replies 3

ajagadee
Cisco Employee
Cisco Employee

‎11-11-2008 10:49 AM

Hi,

Do a show crypto ipsec sa and look for packets encrypts and decrypts. If you are seeing decrypts and no encrypts, then check the routing on the IP Address that you are trying to access through the VPN Client. Could be the end host that you are trying to access does not know how to route the packets back to the ASA for the VPN Client Pool.

Regards,

Arul

*Pls rate if it helps*

0 Helpful

kenzummach
Level 1
Level 1
In response to ajagadee

‎11-11-2008 10:59 AM

Thanks for your response.

I tried running the show crypto ipsec sa and this is what I get:

There are no ipsec sas

0 Helpful

kenzummach
Level 1
Level 1
In response to kenzummach

‎11-11-2008 12:07 PM

I realized after I posted that I should have a connection active when running this command. Here is the results:

Result of the command: "show crypto ipsec sa"

interface: outside

Crypto map tag: outside_dyn_map, seq num: 20, local addr: 172.16.2.10

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.27.2.2/255.255.255.255/0/0)

current_peer: 169.130.14.253, username: kenz

dynamic allocated peer ip: 10.27.2.2

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 172.16.2.10, remote crypto endpt.: 169.130.14.253

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 208F45F5

inbound esp sas:

spi: 0x2026D973 (539416947)

transform: esp-3des esp-sha-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 4096, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 28406

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x208F45F5 (546260469)

transform: esp-3des esp-sha-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 4096, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 28406

IV size: 8 bytes

replay detection support: Y

So it looks like there are encrypts but no decrypts. What should I do now?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card