I had a working vpn configuration between a local and a remote router; the remote router is not under my administration.
Now I moved the vpn termination from my side to an ASA5540 software version 8.0(3). The tunnel is up but there is no reachability. The "show crypto ipsec sa" on the ASA shows encapsulated packets but NO decapsulated packets! Routing and no_nat are properly configured.
without seeing the other side, i suspect a routing issue there.
does "not under my administration" mean no one there can get on the phone and work the issue with you?
Have you used the packet tracer feature in the ASDM?
I would run a packet from source to destination using your adsm and see if it is fully going out as planned.
I suspect a stale xlate on the firewall, perhaps the other side that didnt change is hearing a different source that it wants?
Another option to consider is since the other side is using IOS (right?) they may be using GRE/IPSEC of some type and need to re-config to work with the ASA.
For traffic that enters the security appliance through a VPN tunnel and is then decrypted, the sysopt connection permit-vpn command in global configuration mode to allow the traffic to bypass interface access lists.
can you do some debug on the ASA.
debug crypto ipsec and debug crypto isakmp and send us the output
try from global"clear crypto ipsec sa" and "clear xlate". Also get them to do the same on the other side.
do a continous ping to the other side
going back over the notes your provided;
see the issue now?
DE-DC-INT-FW01# show crypto ipsec sa
Crypto map tag: IPSec-VPN, seq num: 40, local addr: 188.8.131.52
ip address 184.108.40.206 255.255.255.240
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip tcp adjust-mss 1200
crypto map VPN
so, my question,
what is in front of the asa, and does it arp reach the ASA to get to 220.127.116.11?
where does the ASA has this addr config'd?
the 18.104.22.168 was the ip address of the outside interface of the router, now the router is removed and the same ip is configured on the outside interface of the ASA.
yeah other tunnels are active! the 213 is the outside ip of the asa; the conncetion is like this now:
asa (public 22.214.171.124) -> sw (layer2)-> router (private IP with no security controls)->ISP
joe's got a point here. according to the logs
DPD (Dead Peer Discovery).
IPSec has a mechanism for a peer to send a notification to its peer when it is deleting a SA. This notification is sent via IKE. However, there can be situations in which this notification never gets sent. A usual reason for this is that the peer goes dead too abruptly e.g. system crash, unplugging the Ethernet cable, etc. Due to such events, one peer could keep sending data to the dead peer and it results in data loss. For this, a Dead Peer Discovery (DPD) mechanism is used. Make sure nothing is blocking the ipsec traffic between your ASA/Router
please re-enable nat-t, clear the tunnel and bring it back up by pinging to the crypto acl destination from the source.
please past your entire asa config (sanatized of course!)
Worse case, we can do a webex to get it solved.
my next educated guess;
turn off nat-t on the ASA the other side may not support it, not have it configured or UDP 4500 may filtered somewhere in the path
no crypto isakmp nat-traversal
now clear ipsec sa on the sa, and continue testing... send interesting traffic to bring the tunnel back up
It's resolved by editing the crypto/no_nat access-lists to match only host by host! It's really weird that it was not working with subnet to subnet access-list.