01-15-2014 12:47 AM - edited 02-21-2020 07:26 PM
I have set up a IPsec VPN tunnel with a partner of ours, on a cisco ASA 5510 v 8.4(5)6, with both phases up and running. Access lists are fully open so all traffic is allowed and I have a continuous ping running, with no reply (although the server is pingable)
When I troubleshoot my VPN, I can see both phase 1 and 2 are up, so parameters are matching but crypto IPsec debug shows me:
This is a very strange result for me. I am familiar with not receiving packages from the other side, when the number of decaps is 0 too, but here we receive packages, but decryption seems to fail, which is strange because the tunnel is online so encryption must be matching.
how is this possible?
EDIT: further logs are ginving more clues: #pkts invalid identity (rcv): 7
02-27-2016 12:24 AM
Hello
please share your config for tunnel and below show command
sh cry ipsec sa peer <remote tunnel ip> detail
it seems the remote end packet is hitting the device but fail to decrypt
#Rohan
02-27-2016 05:03 AM
Hi.
what you see giving command on ASA
show crypto ikev1 sa
i belive you can see you peer and you mentioned that pahse 1 and phase 2 are established. I had a similar suitation few days ago. i had phase 1 and phase 2 passed. same issue had as you had. later digging into it. I found out i had a issue with my internal network routing. by adding a static route toward my firewall from my internal network fix the issue.
02-27-2016 08:28 AM
Hi Pieter,
I have seen such issues where there is an issue with NAT config or NAT-T.
Can you please confirm the remote side has setup correct routing and NAT .
Also, config pertaining to VPN and complete debugs would really help in this case.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: