PIX/ASA version 7.0.4 drops packets instead of encrypted for a valid LAN-to-LAN VPN peer

TCC_2 · ‎06-22-2009

Core issue

PIX/ASA version 7.0.4 drops packets that need to be encrypted for a valid LAN-to-LAN (L2L) Virtual Private Network (VPN) peer.

This issue is due to the presence of Cisco bug ID CSCsd93380.

In PIX/ASA version 7.0.4, a valid output from the show crypto ipsec sa command is present. QuickMode completes and the active Security Parameter Index (SPI) values are present. Furthermore, the remote site is able to send traffic. The #pkts decrypt counter increases, but the #pkts encrypt counter does not increase.

This is output from the show crypto ipsec sa command:

Firewall(config)#show crypto ipsec sa peer 1.1.1.1
peer address: 1.1.1.1
Crypto map tag: outside_map, seq num: 2, local addr: 2.2.2.2
access-list vpn permit ip 192.168.0.0 255.255.0.0 172.168.0.0 255.255.255.0
local ident (addr/mask/prot/port): (172.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port):
(172.168.0.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 658, #pkts decrypt: 658, #pkts verify: 658
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp
failed: 0
#send errors: 0, #recv errors: 0

Instead, the show asp drop counter displays Tunnel being brought up or torn down, which increases.

Resolution

For a temporary workaround:

Reload the PIX/ASA software with the reload command in order to solve this issue.

For a permanent workaround:

This issue is resolved in these PIX/ASA versions:

7.0(6)
7.2(2)
7.2(1.5)
7.0(5.8)
7.1(2.11)

In order to resolve this issue, download the latest code from Cisco Downloads.

Problem Type

Troubleshoot software feature