Only one sides of IPSec tunnel encrypting packets

Unanswered Question

Any ideas as to how onside of the tunnel is not encrypting traffic thanks


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 26731, #pkts decrypt: 26731,




show crypto isakmp sa


18 IKE Peer: Vendor

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE


show crypto ipsec sa


Crypto map tag: vpn_map, seq num: 4, local addr: 198.X.227.X


access-list VPN_TO_Vendor permit ip host 10.20.12.127 host 192.168.13.3

local ident (addr/mask/prot/port): (10.20.12.127/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.13.3/255.255.255.255/0/0)

current_peer: Vendor


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 26731, #pkts decrypt: 26731, #pkts verify: 26731

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0


local crypto endpt.: 198.X.227.X, remote crypto endpt.: Vendor


path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 1205B666


inbound esp sas:

spi: 0x0B404729 (188761897)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 119238656, crypto-map: vpn_map

sa timing: remaining key lifetime (kB/sec): (4274991/27948)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x1205B666 (302364262)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 119238656, crypto-map: vpn_map

sa timing: remaining key lifetime (kB/sec): (4275000/27948)

IV size: 8 bytes

replay detection support: Y

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Wed, 06/24/2009 - 08:04
User Badges:
  • Purple, 4500 points or more

Can you post your crypto map config and acl's on the ASA? What are you connecting to on the other end, and can you post those configs as well?


Also, looking at this map, you're encrypting traffic from one host. This has to match on your "vendors" end the opposite direction.


Your side:


access-list VPN_TO_Vendor permit ip host 10.20.12.127 host 192.168.13.3


Vendors side:


access-list VPN_TO_Vendor permit ip host 192.168.13.3 host 10.20.12.127


And you also need to make sure that you're not natting that connection with an acl:


access-list NONAT permit ip host 10.20.12.127 host 192.168.13.3


nat (inside) 0 access-list NONAT



HTH,

John

francisco_1 Wed, 06/24/2009 - 08:34
User Badges:
  • Gold, 750 points or more

looks like your tunnel is up but you are only receiving traffic only one direction so the device above is receiving trafic and decrypting it but nothing behind this device is sending traffic out so there is nothing to encrypt on the tunnel. Best to have a PC at both end and test sending ICMP data across the tunnel and look at the stats again.



Francisco

Actions

This Discussion