02-24-2009 08:03 PM - edited 03-04-2019 03:42 AM
Attached is a report from cisco router. The IPsec tunnel is between cisco 877 and WG Firebox xEdge. The tunnel is up running, but they can not ping each other.
Tried enable debug crypto ipsec/engine,etc. then pinged. Nothing recorded.
Issued clear DF-bit as suggested, no help.
How can I diagnosis it? It used to work fine.
Thanks.
02-24-2009 08:58 PM
Post your config.
02-25-2009 02:47 PM
02-24-2009 09:09 PM
Not much can be said with what you wrote in.
But if i were you i'd check the encryption domain.
Make sure the hosts that need to talk are part of the encryption domain.
make sure you are using the same enc domain on both endpoints (mirroring the configuration of the oposite router)
Example
IPSEC1 domain: subnet1 mask1 subnet2 mask2
IPSEC2 domain: subnet2 mask2 subnet1 mask1
Also another thing to check is how WG Firebox interprets the encryption domain. I had a problem in the past between Checkpoint and Cisco. If you define a range of IPs in Checkpoint and a subnet in Cisco it won't work.
You need to specify subnet to subnet , not range to subnet.
02-25-2009 02:50 PM
I can tell you this if you issuing debugs an not getting any output, check the acls.Are the ACL matching the traffic you want encrypted?
This link has help me in the past and now.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#adfs
02-26-2009 12:00 AM
If the tunnel shows up, then phase 1 of the tunnel is fine. If the ping traffic is not showing up, you can issue the command "show crypto ipsec sa" and check the encryption, decryption & send errors count. If the send error count keeps increasing, then phase 2 parameters (usually access-list) are not matching. If only one among encryption/decryption happening, then traffic is getting blocked at one location, based on encryption or decryptions done.
02-27-2009 04:04 AM
"If only one among encryption/decryption happening, then traffic is getting blocked at one location, based on encryption or decryptions done."
What does that mean?
I checked "show crypto ipsec sa". Encryption packets are growing but error count are the same. What type of ACL block it?
I ckecked I've got the interesting traffic acl right, Nat deny this traffic to be natted; Firewall allow interesting traffic from the other side.
I issued debug crypto xxx, nothing showed up. I issued "debug ip packet detail", it came up like this.
Feb 27 11:51:58.689: IP: tableid=0, s=192.168.2.254 (local), d=192.168.1.1 (Dialer0), routed via RIB
Feb 27 11:51:58.689: IP: s=192.168.2.254 (local), d=192.168.1.1 (Dialer0), len 100, sending
Feb 27 11:51:58.689: ICMP type=8, code=0
Feb 27 11:51:58.689: IP: s=Lxx.xx.xx.xx(local), d=Rxx.xx.xx.xx(Dialer0), g=Lxx.xx.xx.1, len 152, forward, proto=50
nothing more, is it normal or not?
Cheers,
02-27-2009 04:28 AM
If encryptions are happening and no decryptions, then it means that there is no return traffic.
What I meant was that there might be an access-list at the remote end blocking the return traffic or might also be a missing route which might not be routing the traffic.
Since encryptions are happening, you can assured that the tunnel is up and the packets are getting transferred to the destination. At the remote end if he does the same "show crypto ipsec sa" he should be seeing decryptions and if he is not seeing any encryptions, he should check his routing/security policies.
You can be assured that it is not local end problem where you are seeing encryptions..
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide