07-21-2010 08:46 AM - edited 02-21-2020 04:44 PM
Hello!
I am doing a IPSEC to an astaro V7 at a customers site
origin is a UC540 with IOS 15
I see the Tunnel "green" on the astaro .... so its ok, but no packets are going through:
UC540#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: CISCO, local addr x.x.x.202
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.49.0/255.255.255.0/0/0)
current_peer x.x.x.8 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 39, #pkts encrypt: 39, #pkts digest: 39
#pkts decaps: 40, #pkts decrypt: 40, #pkts verify: 40
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xABA3137B(2879591291)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x349B38CE(882587854)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 18, flow_id: Onboard VPN:18, sibling_flags 80000046, crypto map: CISCO
sa timing: remaining key lifetime (k/sec): (4586494/835)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xABA3137B(2879591291)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 19, flow_id: Onboard VPN:19, sibling_flags 80000046, crypto map: CISCO
sa timing: remaining key lifetime (k/sec): (4586494/835)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
UC540#
UC540#ping 192.168.49.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.49.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
UC540#ping
Protocol [ip]:
Target IP address: 192.168.49.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.10.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.49.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1
.....
Success rate is 0 percent (0/5)
UC540#
Solved! Go to Solution.
07-21-2010 10:05 AM
If you have ACL assigned to the interface, you would be able to just remove the ACL from the interface. Alternatively, if you are using ZBFW, you can take the zone member out of all interfaces (pls make sure that you take it out from all interfaces, otherwise, your traffic will not pass through the router between some interfaces, plus if you have ZBFW, remove the zone member by consoling to the router as you might be locked out of the router if you remove some of the zone member first while telneting or SSH into the router).
07-21-2010 08:55 AM
Base on the ipsec sa output, there are traffic being encrypted and decrypted, which means VPN tunnel is actually up and running.
I would check to see if you have ACL or Zone base firewall configured on the UC500 router that might be blocking the ICMP Reply.
07-21-2010 09:41 AM
hi
actually i disabled all "denys" for testing in my acl -> i am testing now the other side.
any way to complete disable that for testing?
07-21-2010 10:05 AM
If you have ACL assigned to the interface, you would be able to just remove the ACL from the interface. Alternatively, if you are using ZBFW, you can take the zone member out of all interfaces (pls make sure that you take it out from all interfaces, otherwise, your traffic will not pass through the router between some interfaces, plus if you have ZBFW, remove the zone member by consoling to the router as you might be locked out of the router if you remove some of the zone member first while telneting or SSH into the router).
07-21-2010 04:45 PM
thanks mate
that was it .. it was missing in the ACL for route map to nat int
now it works!
awesome!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: