cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
244
Views
0
Helpful
2
Replies

ASA Partial Encryption of the ACE

arumugasamy
Level 1
Level 1

The actual problem is that the tunnel traffic between local and remote side is encrypted and de-crypted for only one host. The other host traffic is not encrypted and de-crypted.

The Crypto ACL is as below

access-list vpn-list permit ip host 192.168.1.1 host 10.10.10.1

access-list vpn-list permit ip host 192.168.1.2 host 10.10.10.1.

When the host traffic 192.168.1.1 is encrypted then other host 192.168.1.2 is not encrypted and there was no ACL kit count increase.

What could be the issue.

We tried with deleting whole VPN configuration and reapply it with the result is as before.

Show crypto ipsec sa shows that both are under tunnel but the when one host encrypted another not encrypted.

ping to remote 10.10.10.1 host from 192.168.1.1 ok but from 192.168.1.2 failed. After some time 192.168.1.2 can ping remote not by 192.168.1.1

Thanks

swami

2 Replies 2

mj11
Level 3
Level 3

Hi swami

Are you able to check the No NAT statements.

Regards MJ

Patrick0711
Level 3
Level 3

Check your NAT exempt access-list and ensure that the remote host has the same set of hots specified in it's crypto access-list.

The output of 'debug crypto isakmp 254' when initiating or receiving traffic would also be helpful.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: