03-02-2009 07:57 AM - edited 03-11-2019 07:59 AM
Hi
I configured a L2L vpn between two sites
One in the HO --> ASA Version 7.2(1)
One in the branch--> PIX Version 6.3(5)
They are connected to each other via a private WAN provider
(the ASA is connected via the DMZ-WAN interface)
The "show Crypto isakmp sa" in both sites is UP and successful
but in the "show crypto ipsec sa", both sites are showing an increasing number in the Encaps packets, and the decaps is 0 in both devices.
Find attached the configuration files.
Please advice,
Best regards,
03-02-2009 07:58 AM
ASA-HQ# show crypto ipsec sa peer 10.141.149.194
peer address: 10.141.149.194
Crypto map tag: encrypt, seq num: 40, local addr: 172.16.1.254
access-list dahieh permit ip 192.168.10.0 255.255.255.0 192.168.15.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)
current_peer: 10.141.149.194
#pkts encaps: 319, #pkts encrypt: 319, #pkts digest: 319
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 319, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.1.254, remote crypto endpt.: 10.141.149.194
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D8CAB21B
inbound esp sas:
spi: 0x7CCD0EB5 (2093813429)
transform: esp-3des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 540, crypto-map: encrypt
sa timing: remaining key lifetime (kB/sec): (4275000/27037)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xD8CAB21B (3637162523)
transform: esp-3des esp-md5-hmac
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 540, crypto-map: encrypt
sa timing: remaining key lifetime (kB/sec): (4274981/27037)
IV size: 8 bytes
replay detection support: Y
ASA-HQ#
03-02-2009 08:21 AM
...edited
03-02-2009 08:44 AM
The output in the last post suggests that traffic matching your crypto ACL at the other end is not returning to the VPN device.I would check the routing in your network to see where the traffic is going or if there is an ACL some where blocking the return traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide