Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1996
Views
0
Helpful
4
Replies

Troubleshoot ipsec?

Go to solution
louis0001
Level 3
Level 3

‎08-08-2014 03:31 PM - edited ‎02-21-2020 07:46 PM

We have an ispec tunnel established but it's not passing traffic. I can only see my end and everything appears fine.

When I run a "sh crypto ipsec sa peer x.x.x.x" I can see that packets are getting encapsulated but none are getting decapsulated.

Running packet tracer also shows that my traffic is allowed.

How can I tell for certain that the issue is at the other end of the tunnel?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nkarthikeyan
Level 7
Level 7
In response to louis0001

‎08-09-2014 03:32 AM

Hi Louis,

 

If you see your end is encapsulating... then packets from your end gets in to tunnel and going out with encapsulated.... other end FW/VPN device should receive it and decapsulate the same to send out the traffic to the destination.... this is for one way about the traffic... the return packet or response packet will encapsulate it again and send it to us, which will get decapsulate and go to the requestor......

Here you need to check on the other firewall end and see if it gets decapsulated and encapsulated back in that way.... for that you may need to check the routing for the remote lan in the remote peer, NAT rules and ipsec policies matches etc.....

 

run a debug crypto ipsec 128 at your end to see if that gives any idea.....

 

If you do all these step by step... definitely you can sort out the issue....

 

Regards

Karthik

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-08-2014 06:53 PM

Th symptom you describe (encaps without decaps) is most often the distant end not sending the traffic back into the tunnel (internal routing or potentially lack of NAT exemption at their end).

Without having them check, the only thing you can do is show them your end's output like you just described here.

0 Helpful

Go to solution
louis0001
Level 3
Level 3
In response to Marvin Rhoads

‎08-08-2014 11:49 PM

I'd like to think that too. Problem is, I recently had an issue with another ASA which was reporting the same.

In the end, I gave up and tore the config down and when I started from fresh, the ipsec tunnel came up straight away and passed traffic. Still don't have an idea what the issue was as I didn't expect the tunnel to come up so quickly. But the point is, it too was showing encaps but no decaps and resetting at my end cured the issue without any change at the remote end.

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to louis0001

‎08-09-2014 03:32 AM

Hi Louis,

 

If you see your end is encapsulating... then packets from your end gets in to tunnel and going out with encapsulated.... other end FW/VPN device should receive it and decapsulate the same to send out the traffic to the destination.... this is for one way about the traffic... the return packet or response packet will encapsulate it again and send it to us, which will get decapsulate and go to the requestor......

Here you need to check on the other firewall end and see if it gets decapsulated and encapsulated back in that way.... for that you may need to check the routing for the remote lan in the remote peer, NAT rules and ipsec policies matches etc.....

 

run a debug crypto ipsec 128 at your end to see if that gives any idea.....

 

If you do all these step by step... definitely you can sort out the issue....

 

Regards

Karthik

 

0 Helpful

Go to solution
louis0001
Level 3
Level 3
In response to nkarthikeyan

‎08-16-2014 01:49 AM

It was indeed an access rule at their end that was blocking the traffic.

Thanks for your time.

0 Helpful
Customers Also Viewed These Support Documents