ASA Partial Encryption of the ACE

Unanswered Question
Oct 25th, 2009
User Badges:

The actual problem is that the tunnel traffic between local and remote side is encrypted and de-crypted for only one host. The other host traffic is not encrypted and de-crypted.

The Crypto ACL is as below

access-list vpn-list permit ip host 192.168.1.1 host 10.10.10.1

access-list vpn-list permit ip host 192.168.1.2 host 10.10.10.1.

When the host traffic 192.168.1.1 is encrypted then other host 192.168.1.2 is not encrypted and there was no ACL kit count increase.

What could be the issue.

We tried with deleting whole VPN configuration and reapply it with the result is as before.

Show crypto ipsec sa shows that both are under tunnel but the when one host encrypted another not encrypted.

ping to remote 10.10.10.1 host from 192.168.1.1 ok but from 192.168.1.2 failed. After some time 192.168.1.2 can ping remote not by 192.168.1.1


Thanks

swami

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mj11@home_2 Sun, 10/25/2009 - 12:20
User Badges:

Hi swami


Are you able to check the No NAT statements.


Regards MJ

Patrick0711 Sun, 10/25/2009 - 23:43
User Badges:
  • Bronze, 100 points or more

Check your NAT exempt access-list and ensure that the remote host has the same set of hots specified in it's crypto access-list.


The output of 'debug crypto isakmp 254' when initiating or receiving traffic would also be helpful.

Actions

This Discussion