VPN Tunnel UP but no traffic.

Unanswered Question
Jun 9th, 2010
User Badges:

Hi,


I currently have a VPN connection between a Cisco ASA 5505 and Cisco 3825.  Both Phase one and Phase two complete successfully but I'm unable to ping the remote network.


This is intermittant and often a reboot of the remote ASA will restore the connection.


If anyone is able to suggest some possible solutions to this, I'd be very grateful indeed.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Wed, 06/09/2010 - 07:52
User Badges:
  • Green, 3000 points or more

Hi,


So the tunnel is actually working and passing traffic but traffic stops passing through?

If so and a reboot of the ASA fixes the problem, the tunnel might be getting stucked.


Try implementing ISAKMP keealives on both ends to a low value, so that if the tunnel goes down on one end, it can be reestablished immediatly after sensing interesting traffic.


Federico.

jelloyd Wed, 06/09/2010 - 07:59
User Badges:
  • Cisco Employee,

Hello,


What are the exact symptoms when this problem occurs?  When you are experiencing the issue, please take a look at "show crypto ipsec sa peer x.x.x.x" (where x.x.x.x is the crypto peer address) output to see whether or not the 3825 or the ASA is failing to encrypt traffic anymore.  Issuing the command multiple times will show you whether or not packet encrypt/decrypt counters are increasing.  If we see that one of the counters is not incrementing, we've pinpointed where the problem is occurring.


Since this issue sounds like it's intermittent and a reboot of the ASA fixes the issue, take a look at the following bugs.  They all pertain to the ASA intermittently getting into a state where it duplicates an entry in its crypto classification table.  This causes the ASA to be confused as to which security-association info it needs to use to encrypt traffic to the remote VPN peer.  Ultimately, the symptoms that you'll is the ASA will stop encrypting traffic until a reboot is done.


CSCsh48962 - Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI

CSCso50996 - ASA dropping the packet instead of encrypting it.

CSCsd48512 - Duplicate ASP crypto table entry causes firewall to not encrypt traffic


Please look through the bug notes and see if you can identify whether or not you are hitting this defect.  If so, please make sure you are running a fixed version of code.


Here is a link to Bug Toolkit on CCO to view the bug details.


http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl



-Jeff

Actions

This Discussion