11-11-2008 09:19 AM - edited 02-21-2020 03:05 AM
I have a ASA 5505 that I am using as a VPN appliance. The outside interface is connected to the DMZ (172.16.2.10) and the inside to our internal network (10.27.1.12). VPN clients are assigned an address in the range 10.27.2.2-10.27.2.20. A 1841 is the router and firewall for the network. Recently the ASA lost power when a UPS went down and now VPN clients can no longer access anything on the inside network. Config is attached. Help.
11-11-2008 10:49 AM
Hi,
Do a show crypto ipsec sa and look for packets encrypts and decrypts. If you are seeing decrypts and no encrypts, then check the routing on the IP Address that you are trying to access through the VPN Client. Could be the end host that you are trying to access does not know how to route the packets back to the ASA for the VPN Client Pool.
Regards,
Arul
*Pls rate if it helps*
11-11-2008 10:59 AM
Thanks for your response.
I tried running the show crypto ipsec sa and this is what I get:
There are no ipsec sas
11-11-2008 12:07 PM
I realized after I posted that I should have a connection active when running this command. Here is the results:
Result of the command: "show crypto ipsec sa"
interface: outside
Crypto map tag: outside_dyn_map, seq num: 20, local addr: 172.16.2.10
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.27.2.2/255.255.255.255/0/0)
current_peer: 169.130.14.253, username: kenz
dynamic allocated peer ip: 10.27.2.2
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.2.10, remote crypto endpt.: 169.130.14.253
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 208F45F5
inbound esp sas:
spi: 0x2026D973 (539416947)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28406
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x208F45F5 (546260469)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: outside_dyn_map
sa timing: remaining key lifetime (sec): 28406
IV size: 8 bytes
replay detection support: Y
So it looks like there are encrypts but no decrypts. What should I do now?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: