05-14-2010 05:37 AM
Hi there,
I have not been successful in setting-up this VPN for over 2 months now, despite escalating to senior support in my company.Attached is the config from mye end.
Scenario: Phase 1 completes successfully but phase 2 fails on encapsulation as the below ASA log shows:
Any idea what could be the cause...???
strange enough the remote end are able to reach my test host 10.0.16.254 but I cannot reach their test host 172.18.31.51
tzdar01-ASA-01# sh crypto ipsec sa
interface: outside
Crypto map tag: info2cellmap, seq num: 60, local addr: 196.46.122.1
access-list huawei2_vpn permit ip host 10.0.16.254 172.18.31.48 255.255.255.240
local ident (addr/mask/prot/port): (10.0.16.254/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.18.31.48/255.255.255.240/0/0)
current_peer: 195.33.106.101
#pkts encaps: 4511, #pkts encrypt: 4511, #pkts digest: 4511
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4511, #pkts comp failed: 0, #pkts decomp failed: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 196.46.122.1, remote crypto endpt.: 195.33.106.101
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 92EE9A18
inbound esp sas:
spi: 0xA5D6AFCD (2782310349)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 14732, crypto-map: info2cellmap
sa timing: remaining key lifetime (sec): 2069
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x92EE9A18 (2465110552)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 14732, crypto-map: info2cellmap
sa timing: remaining key lifetime (sec): 2060
IV size: 8 bytes
replay detection support: Y
05-14-2010 05:47 AM
Based on the show crypto ipsec sa output, the ASA end is sending traffic towards Huawei end, however, Huawei did not reply.
#pkts encaps: 4511 --> traffic is being encrypted towards Huawei end
#pkts decaps: 0 ---> nothing came back from Huawei
I would check on Huawei to make sure that they have NAT exemption correctly configured, and also get the equivalent of "show crypto ipsec sa" output of Huawei to check. If the decaps counters are increasing, and 0 for encaps, then it is more likely NAT exemption on Huawei end, or possibly access-list might be blocking the traffic.
On a side notes, pls double check with Huawei that they have mirror image ACL configured for crypto ACL (ACL specifying the interesting traffic).
ASA end has the followings:
access-list hua_vpn extended permit ip object-group huawei2_VPNin object-group huawei2_VPNout
Huawei end should have the following (with all objects included as configured on the ASA end):
access-list
Hope that helps.
05-14-2010 05:54 AM
thanks,it makes great sense...
have requested for output from remote end, will update once I receive it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: