This has to be the most weirdest issue I have seen since the past year on my ASA.
I have an ASA 5540 running the 8.4(2) code without any issues until I stumbled upon this problem last week and I have spent sleepless nights with no resolution! So, take a deep breath and here is a brief description of my setup and the problem:
A Simple IPSEC tunnel between my ASA 5540 8.4(2) and a Juniper SSG 140 screen OS 6.3.0r9.0(route based VPN)
The tunnel comes up without any issues but the ASA refuses to encrypt the traffic but decrypts it with GLORY!
below are some debug outputs, show outputs and a packet tracer output which also has an explanation of my WEIRD NAT issue:
my setup - ( I wont get into the tunnel encryption details as my tunnel negotiations are piss perfect and comes up right off the bat when the ASA is configured as answer only)
(this is the weird NAT issue I am seeing. I see the hits count is incrementing only when I run the packet tracer even thugh I have constant pings(traffic) from the 192.168.171.8 host to the 10.2.4.1/28) - please see the packet capture that i have pasted after this section)
Forward Flow based lookup yields rule:
out id=0x7b8751f8, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x7432b74, cs_id=0x7ba38680, reverse, flags=0x0, proto
As you can see, there is no echo reply packet at all as the packet is not being encapsulated while it is being sent back.
I have been going madddd with this. Also, this is a live production multi tenant firewall with no issues at all apart from this shitty ipsec tunnel to a juniper!!
Also, the 192.168.10.0/24 is another IPSec tunnel remote network to this 10.2.4.0/28 network and this IPSEC tunnel has a similar Juniper SSG 140 screen os 6.3.0r9.0 at the remote end and this woks like a charm without any issues, but the 171 is not being encrypted by the ASA at all.
If anybody could help me out, that would be greattt!!
Will a reboot of the ASA manke any difference at all? This is in a hosting environment with 24x7 and reboots can be taken to the management under exceptional circumstances and sure fixes.. any suggestions here, please?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :