08-08-2014 03:31 PM - edited 02-21-2020 07:46 PM
We have an ispec tunnel established but it's not passing traffic. I can only see my end and everything appears fine.
When I run a "sh crypto ipsec sa peer x.x.x.x" I can see that packets are getting encapsulated but none are getting decapsulated.
Running packet tracer also shows that my traffic is allowed.
How can I tell for certain that the issue is at the other end of the tunnel?
Solved! Go to Solution.
08-09-2014 03:32 AM
Hi Louis,
If you see your end is encapsulating... then packets from your end gets in to tunnel and going out with encapsulated.... other end FW/VPN device should receive it and decapsulate the same to send out the traffic to the destination.... this is for one way about the traffic... the return packet or response packet will encapsulate it again and send it to us, which will get decapsulate and go to the requestor......
Here you need to check on the other firewall end and see if it gets decapsulated and encapsulated back in that way.... for that you may need to check the routing for the remote lan in the remote peer, NAT rules and ipsec policies matches etc.....
run a debug crypto ipsec 128 at your end to see if that gives any idea.....
If you do all these step by step... definitely you can sort out the issue....
Regards
Karthik
08-08-2014 06:53 PM
Th symptom you describe (encaps without decaps) is most often the distant end not sending the traffic back into the tunnel (internal routing or potentially lack of NAT exemption at their end).
Without having them check, the only thing you can do is show them your end's output like you just described here.
08-08-2014 11:49 PM
I'd like to think that too. Problem is, I recently had an issue with another ASA which was reporting the same.
In the end, I gave up and tore the config down and when I started from fresh, the ipsec tunnel came up straight away and passed traffic. Still don't have an idea what the issue was as I didn't expect the tunnel to come up so quickly. But the point is, it too was showing encaps but no decaps and resetting at my end cured the issue without any change at the remote end.
08-09-2014 03:32 AM
Hi Louis,
If you see your end is encapsulating... then packets from your end gets in to tunnel and going out with encapsulated.... other end FW/VPN device should receive it and decapsulate the same to send out the traffic to the destination.... this is for one way about the traffic... the return packet or response packet will encapsulate it again and send it to us, which will get decapsulate and go to the requestor......
Here you need to check on the other firewall end and see if it gets decapsulated and encapsulated back in that way.... for that you may need to check the routing for the remote lan in the remote peer, NAT rules and ipsec policies matches etc.....
run a debug crypto ipsec 128 at your end to see if that gives any idea.....
If you do all these step by step... definitely you can sort out the issue....
Regards
Karthik
08-16-2014 01:49 AM
It was indeed an access rule at their end that was blocking the traffic.
Thanks for your time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide