06-24-2009 07:26 AM - edited 03-11-2019 08:47 AM
Any ideas as to how onside of the tunnel is not encrypting traffic thanks
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 26731, #pkts decrypt: 26731,
show crypto isakmp sa
18 IKE Peer: Vendor
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
show crypto ipsec sa
Crypto map tag: vpn_map, seq num: 4, local addr: 198.X.227.X
access-list VPN_TO_Vendor permit ip host 10.20.12.127 host 192.168.13.3
local ident (addr/mask/prot/port): (10.20.12.127/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.13.3/255.255.255.255/0/0)
current_peer: Vendor
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 26731, #pkts decrypt: 26731, #pkts verify: 26731
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 198.X.227.X, remote crypto endpt.: Vendor
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 1205B666
inbound esp sas:
spi: 0x0B404729 (188761897)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 119238656, crypto-map: vpn_map
sa timing: remaining key lifetime (kB/sec): (4274991/27948)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x1205B666 (302364262)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 119238656, crypto-map: vpn_map
sa timing: remaining key lifetime (kB/sec): (4275000/27948)
IV size: 8 bytes
replay detection support: Y
06-24-2009 08:04 AM
Can you post your crypto map config and acl's on the ASA? What are you connecting to on the other end, and can you post those configs as well?
Also, looking at this map, you're encrypting traffic from one host. This has to match on your "vendors" end the opposite direction.
Your side:
access-list VPN_TO_Vendor permit ip host 10.20.12.127 host 192.168.13.3
Vendors side:
access-list VPN_TO_Vendor permit ip host 192.168.13.3 host 10.20.12.127
And you also need to make sure that you're not natting that connection with an acl:
access-list NONAT permit ip host 10.20.12.127 host 192.168.13.3
nat (inside) 0 access-list NONAT
HTH,
John
06-24-2009 08:34 AM
looks like your tunnel is up but you are only receiving traffic only one direction so the device above is receiving trafic and decrypting it but nothing behind this device is sending traffic out so there is nothing to encrypt on the tunnel. Best to have a PC at both end and test sending ICMP data across the tunnel and look at the stats again.
Francisco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide