cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2721
Views
0
Helpful
7
Replies

IPsec tunnel up, no traffic

yayasolenet
Level 1
Level 1

Attached is a report from cisco router. The IPsec tunnel is between cisco 877 and WG Firebox xEdge. The tunnel is up running, but they can not ping each other.

Tried enable debug crypto ipsec/engine,etc. then pinged. Nothing recorded.

Issued clear DF-bit as suggested, no help.

How can I diagnosis it? It used to work fine.

Thanks.

7 Replies 7

Peter010101
Level 1
Level 1

Post your config.

Here is the config from cisco.

c.captari
Level 1
Level 1

Not much can be said with what you wrote in.

But if i were you i'd check the encryption domain.

Make sure the hosts that need to talk are part of the encryption domain.

make sure you are using the same enc domain on both endpoints (mirroring the configuration of the oposite router)

Example

IPSEC1 domain: subnet1 mask1 subnet2 mask2

IPSEC2 domain: subnet2 mask2 subnet1 mask1

Also another thing to check is how WG Firebox interprets the encryption domain. I had a problem in the past between Checkpoint and Cisco. If you define a range of IPs in Checkpoint and a subnet in Cisco it won't work.

You need to specify subnet to subnet , not range to subnet.

I can tell you this if you issuing debugs an not getting any output, check the acls.Are the ACL matching the traffic you want encrypted?

This link has help me in the past and now.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#adfs

naveen_b81
Level 1
Level 1

If the tunnel shows up, then phase 1 of the tunnel is fine. If the ping traffic is not showing up, you can issue the command "show crypto ipsec sa" and check the encryption, decryption & send errors count. If the send error count keeps increasing, then phase 2 parameters (usually access-list) are not matching. If only one among encryption/decryption happening, then traffic is getting blocked at one location, based on encryption or decryptions done.

"If only one among encryption/decryption happening, then traffic is getting blocked at one location, based on encryption or decryptions done."

What does that mean?

I checked "show crypto ipsec sa". Encryption packets are growing but error count are the same. What type of ACL block it?

I ckecked I've got the interesting traffic acl right, Nat deny this traffic to be natted; Firewall allow interesting traffic from the other side.

I issued debug crypto xxx, nothing showed up. I issued "debug ip packet detail", it came up like this.

Feb 27 11:51:58.689: IP: tableid=0, s=192.168.2.254 (local), d=192.168.1.1 (Dialer0), routed via RIB

Feb 27 11:51:58.689: IP: s=192.168.2.254 (local), d=192.168.1.1 (Dialer0), len 100, sending

Feb 27 11:51:58.689: ICMP type=8, code=0

Feb 27 11:51:58.689: IP: s=Lxx.xx.xx.xx(local), d=Rxx.xx.xx.xx(Dialer0), g=Lxx.xx.xx.1, len 152, forward, proto=50

nothing more, is it normal or not?

Cheers,

If encryptions are happening and no decryptions, then it means that there is no return traffic.

What I meant was that there might be an access-list at the remote end blocking the return traffic or might also be a missing route which might not be routing the traffic.

Since encryptions are happening, you can assured that the tunnel is up and the packets are getting transferred to the destination. At the remote end if he does the same "show crypto ipsec sa" he should be seeing decryptions and if he is not seeing any encryptions, he should check his routing/security policies.

You can be assured that it is not local end problem where you are seeing encryptions..

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: