ASA Partial Encryption of the ACE

Unanswered Question
Oct 25th, 2009
User Badges:

The actual problem is that the tunnel traffic between local and remote side is encrypted and de-crypted for only one host. The other host traffic is not encrypted and de-crypted.

The Crypto ACL is as below

access-list vpn-list permit ip host host

access-list vpn-list permit ip host host

When the host traffic is encrypted then other host is not encrypted and there was no ACL kit count increase.

What could be the issue.

We tried with deleting whole VPN configuration and reapply it with the result is as before.

Show crypto ipsec sa shows that both are under tunnel but the when one host encrypted another not encrypted.

ping to remote host from ok but from failed. After some time can ping remote not by



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mj11@home_2 Sun, 10/25/2009 - 12:20
User Badges:

Hi swami

Are you able to check the No NAT statements.

Regards MJ

Patrick0711 Sun, 10/25/2009 - 23:43
User Badges:
  • Bronze, 100 points or more

Check your NAT exempt access-list and ensure that the remote host has the same set of hots specified in it's crypto access-list.

The output of 'debug crypto isakmp 254' when initiating or receiving traffic would also be helpful.


This Discussion