Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
665
Views
0
Helpful
2
Replies

Cisco Site-to-Site VPN

Not applicable

‎06-13-2017 11:04 AM - last edited on ‎03-12-2019 04:28 AM by

Site-to-site VPN from Cisco ASA and Fortnet firewall is up but can't ping the each other.

Any suggestion?  The problem is with PEER: 47.44.163.253

Result of the command: "show crypto isakmp sa"

IKEv1 SAs:

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 207.236.213.66
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 47.44.163.253
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

Result of the command: "show crypto ipsec sa"

interface: backup_isp
    Crypto map tag: backup_isp_map6, seq num: 1, local addr: 47.44.163.130

      access-list backup_isp_cryptomap_3 extended permit ip 172.16.0.0 255.255.0.0 172.18.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (172.18.0.0/255.255.0.0/0/0)
      current_peer: 47.44.163.253


      #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
      #pkts decaps: 2, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 2

      local crypto endpt.: 47.44.163.130/0, remote crypto endpt.: 47.44.163.253/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 6F394BAA
      current inbound spi : 107D4E11

    inbound esp sas:
      spi: 0x107D4E11 (276647441)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 4231168, crypto-map: backup_isp_map6
         sa timing: remaining key lifetime (kB/sec): (3915000/25642)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x6F394BAA (1866025898)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 4231168, crypto-map: backup_isp_map6
         sa timing: remaining key lifetime (kB/sec): (3914999/25642)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: backup_isp_map6, seq num: 4, local addr: 47.44.163.130

      access-list backup_isp_cryptomap extended permit ip 172.16.0.0 255.255.0.0 192.168.192.0 255.255.224.0
      local ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.192.0/255.255.224.0/0/0)
      current_peer: 207.236.213.66


      #pkts encaps: 1440992, #pkts encrypt: 1440992, #pkts digest: 1440992
      #pkts decaps: 1301545, #pkts decrypt: 1301545, #pkts verify: 1301545
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1440992, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 47.44.163.130/0, remote crypto endpt.: 207.236.213.66/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: E96E96F7
      current inbound spi : B8B96408

    inbound esp sas:
      spi: 0xB8B96408 (3099157512)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 4096, crypto-map: backup_isp_map6
         sa timing: remaining key lifetime (kB/sec): (3905289/16758)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xE96E96F7 (3916338935)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 4096, crypto-map: backup_isp_map6
         sa timing: remaining key lifetime (kB/sec): (3912710/16758)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-13-2017 07:45 PM

Check your NAT configuration.

0 Helpful

Not applicable

‎06-14-2017 02:57 PM

I enabled and disabled NAT exempt and it's working now.

Thanks! 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents