03-24-2003 03:07 AM - edited 02-21-2020 12:25 PM
I had question to perplex longer time,i don't still resolve the question , pls anyone give me advice
i had Site1 and Site2 used PIX to establish vpn tunnel, I think configure no problem and i can saw SA , but i still ping Site2 when i on Site1, I only found symptom is packet have been encryption , but no decryption on each Site
========================================================
Site1(config)# sh crypto isakmp sa
Total : 2
Embryonic : 0
dst src state pending created
Site2 Site1 QM_IDLE 0 1
Site1(config)# sh crypto ipsec sa
interface: VPN
Crypto map tag: mymap, local addr. Site1
local ident (addr/mask/prot/port): (172.17.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: Site2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 320, #pkts encrypt: 320, #pkts digest 320
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: Site1, remote crypto endpt.: Site2
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 55436f91
inbound esp sas:
spi: 0x7d9bc2b1(2107359921)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607999/27441)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x55436f91(1430482833)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607963/26901)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
============================================================
Site2(config)# sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
Site1 Site2 QM_IDLE 0 1
Site2(config)#sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, local addr. Site2
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.17.0.0/255.255.0.0/0/0)
current_peer: Site1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 28, #pkts encrypt: 28, #pkts digest 28
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: Site2, remote crypto endpt.: Site1
path mtu 1500, ipsec overhead 56, media mtu 1500
current outbound spi: 7d9bc2b1
inbound esp sas:
spi: 0x55436f91(1430482833)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 4, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4608000/27417)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7d9bc2b1(2107359921)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4607999/27381)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
=============================================================
Thanks in advance for your effort
03-24-2003 04:12 PM
Hi,
packets are not coming back from Site1 (sent from Site2), reason could be :
only three decaps on site1, packets are getting lost somewhere in the middle or by any ISP, or blocked
Best check would be to do packet leve debugging (debug ip packet ACL) on the gw router on Site1 side, to see if all the packes come into PIX-Site1 or not, that would tell you who is the culprit!
Thx
Afaq
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: