cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5182
Views
0
Helpful
4
Replies

Encapsulation problem VPN L2L

Hi,

i have a problem with a l2l vpn beetwen Cisco ASA 8.2.(1) and Cisco router 2801.


Random, some network defined in the split tunnel stop to work, the vpn is up and i see the packet come through the tunnel with 'debug icmp trace'

ICMP echo request from outside:MYVEM-1 to inside:192.168.11.11 ID=28964 seq=0 len=42
ICMP echo reply from inside:192.168.11.11 to outside:MYVEM-1 ID=28964 seq=0 len=42


ICMP echo request from outside:MYVEM-1 to inside:192.168.11.12 ID=29220 seq=0 len=42
ICMP echo reply from inside:192.168.11.12 to outside:MYVEM-1 ID=29220 seq=0 len=42

and the 'show crypto ipse sa' confirm this, but the reply from 192.168.11.12 is not encapsulated :

sh cry ips sa | b 192.168.11.
      local ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (MYVEM-1/255.255.255.255/0/0)
      current_peer: 195.234.232.30

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 35, #pkts decrypt: 35, #pkts verify: 35

I tried to reset vpn many times, erased the configuration, but the only resolution is to turn off and torn on Cisco ASA.

On cisco router i have a lot of vpn l2l works properly, this problem is present only in the scenario and happens two times in the last month, could be the software version 8.2.(1) ?

Thank you in advance

BR

Fabrizio

4 Replies 4

rahgovin
Level 4
Level 4

Since its working fine when reloading the ASA, could be a defect with 8.2.1 code.

There is bug where duplicate asp table entries form for ipsec l2l tunnels causing the ASA not to encapsulate for particular tunnels.

Bug id is: CSCtb53186. Preferably get to latest interim for 8.2.1

But just to be sure it is this bug, does the vpn traffic work fine after reloading?Also in the show asp table vpn-context detail do you see duplicate entries for the remote subnet in the out direction?

Bug id is CSCtb53186 is under review for publishing, i can't check.

does the vpn traffic work fine after reloading?

Yes, it's the only task that resolv the problem

Also in the show asp table vpn-context detail do you see duplicate entries for the remote subnet in the out direction?

I tried to use this command but i don't understand the output, sorry, could you help me to understand what i have to check?

The split tunnel has 13 line, when the problem occurs, only one subnet stop to respond, the other traffic work fine, and the subnet is not the same every time, is random.

Thank you

Fabrizio

I am kinda sure thats the bug since you say its a random subnet getting affected each time and only reloading solves the issue.

do a show asp table vpn-context detail | begin

Ideally for a single remote subnet you should see 1 incoming and 1 outgoing context each associated with the right SPI s formed for the ipsec sa. But in your case you should see an extra outgoing one for the remote subnet in question. In those two contexts see if you see any packets encrypted counter >0 for the right SPI ( SPI can be found from the show crypto ipsec sa peer ). If there are no packets for the right SPI, then it likely that the packets are getting hit in the wrong context( having different SPI). The fix for this issue is to go to 8.2.1.18.

I could read the bug, and i agree with you, I was afraid that the problem was due to software version, i needed the confirm, i wil upgrade to the 8.2.(2) version.

Thank you very much for your help.

Fabrizio

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: