Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

L2L VPN (PIX to ASA) Decryption problem

Hi

I configured a L2L vpn between two sites

One in the HO --> ASA Version 7.2(1)

One in the branch--> PIX Version 6.3(5)

They are connected to each other via a private WAN provider

(the ASA is connected via the DMZ-WAN interface)

The "show Crypto isakmp sa" in both sites is UP and successful

but in the "show crypto ipsec sa", both sites are showing an increasing number in the Encaps packets, and the decaps is 0 in both devices.

Find attached the configuration files.

Please advice,

Best regards,

3 REPLIES
Community Member

Re: L2L VPN (PIX to ASA) Decryption problem

ASA-HQ# show crypto ipsec sa peer 10.141.149.194

peer address: 10.141.149.194

Crypto map tag: encrypt, seq num: 40, local addr: 172.16.1.254

access-list dahieh permit ip 192.168.10.0 255.255.255.0 192.168.15.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)

current_peer: 10.141.149.194

#pkts encaps: 319, #pkts encrypt: 319, #pkts digest: 319

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 319, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 172.16.1.254, remote crypto endpt.: 10.141.149.194

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: D8CAB21B

inbound esp sas:

spi: 0x7CCD0EB5 (2093813429)

transform: esp-3des esp-md5-hmac

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 540, crypto-map: encrypt

sa timing: remaining key lifetime (kB/sec): (4275000/27037)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xD8CAB21B (3637162523)

transform: esp-3des esp-md5-hmac

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 540, crypto-map: encrypt

sa timing: remaining key lifetime (kB/sec): (4274981/27037)

IV size: 8 bytes

replay detection support: Y

ASA-HQ#

Green

Re: L2L VPN (PIX to ASA) Decryption problem

...edited

Re: L2L VPN (PIX to ASA) Decryption problem

The output in the last post suggests that traffic matching your crypto ACL at the other end is not returning to the VPN device.I would check the routing in your network to see where the traffic is going or if there is an ACL some where blocking the return traffic.

152
Views
0
Helpful
3
Replies
CreatePlease to create content