×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Troubleshoot ipsec?

Answered Question
Aug 8th, 2014
User Badges:

We have an ispec tunnel established but it's not passing traffic. I can only see my end and everything appears fine.

When I run a "sh crypto ipsec sa peer x.x.x.x" I can see that packets are getting encapsulated but none are getting decapsulated.

Running packet tracer also shows that my traffic is allowed.

How can I tell for certain that the issue is at the other end of the tunnel?

Correct Answer by nkarthikeyan about 3 years 1 week ago

Hi Louis,

 

If you see your end is encapsulating... then packets from your end gets in to tunnel and going out with encapsulated.... other end FW/VPN device should receive it and decapsulate the same to send out the traffic to the destination.... this is for one way about the traffic... the return packet or response packet will encapsulate it again and send it to us, which will get decapsulate and go to the requestor......

Here you need to check on the other firewall end and see if it gets decapsulated and encapsulated back in that way.... for that you may need to check the routing for the remote lan in the remote peer, NAT rules and ipsec policies matches etc.....

 

run a debug crypto ipsec 128 at your end to see if that gives any idea.....

 

If you do all these step by step... definitely you can sort out the issue....

 

Regards

Karthik

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marvin Rhoads Fri, 08/08/2014 - 18:53
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Th symptom you describe (encaps without decaps) is most often the distant end not sending the traffic back into the tunnel (internal routing or potentially lack of NAT exemption at their end).

Without having them check, the only thing you can do is show them your end's output like you just described here.

louis0001 Fri, 08/08/2014 - 23:49
User Badges:

I'd like to think that too. Problem is, I recently had an issue with another ASA which was reporting the same.

In the end, I gave up and tore the config down and when I started from fresh, the ipsec tunnel came up straight away and passed traffic. Still don't have an idea what the issue was as I didn't expect the tunnel to come up so quickly. But the point is, it too was showing encaps but no decaps and resetting at my end cured the issue without any change at the remote end.

Correct Answer
nkarthikeyan Sat, 08/09/2014 - 03:32
User Badges:
  • Gold, 750 points or more

Hi Louis,

 

If you see your end is encapsulating... then packets from your end gets in to tunnel and going out with encapsulated.... other end FW/VPN device should receive it and decapsulate the same to send out the traffic to the destination.... this is for one way about the traffic... the return packet or response packet will encapsulate it again and send it to us, which will get decapsulate and go to the requestor......

Here you need to check on the other firewall end and see if it gets decapsulated and encapsulated back in that way.... for that you may need to check the routing for the remote lan in the remote peer, NAT rules and ipsec policies matches etc.....

 

run a debug crypto ipsec 128 at your end to see if that gives any idea.....

 

If you do all these step by step... definitely you can sort out the issue....

 

Regards

Karthik

 

louis0001 Sat, 08/16/2014 - 01:49
User Badges:

It was indeed an access rule at their end that was blocking the traffic.

Thanks for your time.

Actions

This Discussion