IPsec tunnel up, no traffic

Unanswered Question
Feb 24th, 2009
User Badges:

Attached is a report from cisco router. The IPsec tunnel is between cisco 877 and WG Firebox xEdge. The tunnel is up running, but they can not ping each other.

Tried enable debug crypto ipsec/engine,etc. then pinged. Nothing recorded.

Issued clear DF-bit as suggested, no help.

How can I diagnosis it? It used to work fine.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
c.captari Tue, 02/24/2009 - 21:09
User Badges:
  • Bronze, 100 points or more

Not much can be said with what you wrote in.

But if i were you i'd check the encryption domain.

Make sure the hosts that need to talk are part of the encryption domain.

make sure you are using the same enc domain on both endpoints (mirroring the configuration of the oposite router)


IPSEC1 domain: subnet1 mask1 subnet2 mask2

IPSEC2 domain: subnet2 mask2 subnet1 mask1

Also another thing to check is how WG Firebox interprets the encryption domain. I had a problem in the past between Checkpoint and Cisco. If you define a range of IPs in Checkpoint and a subnet in Cisco it won't work.

You need to specify subnet to subnet , not range to subnet.

naveen_b81 Thu, 02/26/2009 - 00:00
User Badges:

If the tunnel shows up, then phase 1 of the tunnel is fine. If the ping traffic is not showing up, you can issue the command "show crypto ipsec sa" and check the encryption, decryption & send errors count. If the send error count keeps increasing, then phase 2 parameters (usually access-list) are not matching. If only one among encryption/decryption happening, then traffic is getting blocked at one location, based on encryption or decryptions done.

yayasolenet Fri, 02/27/2009 - 04:04
User Badges:

"If only one among encryption/decryption happening, then traffic is getting blocked at one location, based on encryption or decryptions done."

What does that mean?

I checked "show crypto ipsec sa". Encryption packets are growing but error count are the same. What type of ACL block it?

I ckecked I've got the interesting traffic acl right, Nat deny this traffic to be natted; Firewall allow interesting traffic from the other side.

I issued debug crypto xxx, nothing showed up. I issued "debug ip packet detail", it came up like this.

Feb 27 11:51:58.689: IP: tableid=0, s= (local), d= (Dialer0), routed via RIB

Feb 27 11:51:58.689: IP: s= (local), d= (Dialer0), len 100, sending

Feb 27 11:51:58.689: ICMP type=8, code=0

Feb 27 11:51:58.689: IP: s=Lxx.xx.xx.xx(local), d=Rxx.xx.xx.xx(Dialer0), g=Lxx.xx.xx.1, len 152, forward, proto=50

nothing more, is it normal or not?


naveen_b81 Fri, 02/27/2009 - 04:28
User Badges:

If encryptions are happening and no decryptions, then it means that there is no return traffic.

What I meant was that there might be an access-list at the remote end blocking the return traffic or might also be a missing route which might not be routing the traffic.

Since encryptions are happening, you can assured that the tunnel is up and the packets are getting transferred to the destination. At the remote end if he does the same "show crypto ipsec sa" he should be seeing decryptions and if he is not seeing any encryptions, he should check his routing/security policies.

You can be assured that it is not local end problem where you are seeing encryptions..


This Discussion