Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
512
Views
0
Helpful
1
Replies

Traffic Not matching the crypto ACL

lpavon0312
Level 1
Level 1

‎09-30-2015 04:02 PM

Hi. 

I have a Cisco 2851 router establishing an IPSEC site-to-site VPN with a RV130W. Both isakmp and ipsec SA´s are formed but I only get one way traffic. When I ping from the remote site (the RV130W) I see the decrypted packets, but the response doesn´t go through the tunnel. Here you can see the current status and configuration. Please note that the incoming traffic weirdly matches the crypto-acl for outgoing traffic (those 3 matches are the same 3 packets from the incoming traffic) and when I try outgoing traffic, I don´t see any matches on ACL 150. 

 

Crypto Map "MYMAP" 3 ipsec-isakmp
        Description: X
        Peer = 10.116.2.6
        Extended IP access list 150
            access-list 150 permit ip 10.241.0.0 0.0.255.255 10.111.0.0 0.0.255.255
        Current peer: 10.116.2.6
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): N
        Transform sets={ 
                MYTSET:  { esp-3des esp-md5-hmac  } , 
        }

CSC2851#show access-lists 150
Extended IP access list 150
    10 permit ip 10.241.0.0 0.0.255.255 10.111.0.0 0.0.255.255 (3 matches)

 

CSC2851#show crypto ipsec sa peer  10.116.2.6  

interface: GigabitEthernet0/0.701
    Crypto map tag: MYMAP, local addr 192.168.100.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.241.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.111.0.0/255.255.0.0/0/0)
   current_peer 10.116.2.6 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.100.2, remote crypto endpt.: 10.116.2.6
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0.701
     current outbound spi: 0x2EC9471D(784942877)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x67DF1852(1742674002)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2103, flow_id: Onboard VPN:103, sibling_flags 80000046, crypto map: SERVICIOS_ADMINISTRADOS
        sa timing: remaining key lifetime (k/sec): (4573605/3492)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x2EC9471D(784942877)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2104, flow_id: Onboard VPN:104, sibling_flags 80000046, crypto map: SERVICIOS_ADMINISTRADOS
        sa timing: remaining key lifetime (k/sec): (4573606/3492)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

 

Labels:
Preview file
222 KB
0 Helpful
1 Reply 1

rvarelac
Level 7
Level 7

‎09-30-2015 09:35 PM

Hi   , 

 

Make sure the router has applied a NO-NAT policy for that VPN traffic, if NAT is not configured on the router , check the interfaces ACL are not blocking this traffic. 

 

If the is not ACL applied , it could mean the devices behind the router are not replying back.

 

Hope it helps

-Randy-

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents