Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
0
Helpful
4
Replies

IPSEC connection to foreign system trouble

Go to solution
kmmehlkmmehl
Level 1
Level 1

‎07-21-2010 08:46 AM - edited ‎02-21-2020 04:44 PM

Hello!

I am doing a IPSEC to an astaro V7 at a customers site

origin is a UC540 with IOS 15

I see the Tunnel "green" on the astaro .... so its ok, but no packets are going through:

UC540#show crypto ipsec sa

interface: FastEthernet0/0

    Crypto map tag: CISCO, local addr x.x.x.202

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.49.0/255.255.255.0/0/0)

   current_peer x.x.x.8 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 39, #pkts encrypt: 39, #pkts digest: 39

    #pkts decaps: 40, #pkts decrypt: 40, #pkts verify: 40

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0xABA3137B(2879591291)

     PFS (Y/N): Y, DH group: group2

     inbound esp sas:

      spi: 0x349B38CE(882587854)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 18, flow_id: Onboard VPN:18, sibling_flags 80000046, crypto map: CISCO

        sa timing: remaining key lifetime (k/sec): (4586494/835)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xABA3137B(2879591291)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 19, flow_id: Onboard VPN:19, sibling_flags 80000046, crypto map: CISCO

        sa timing: remaining key lifetime (k/sec): (4586494/835)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

UC540#

UC540#ping 192.168.49.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.49.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

UC540#ping

Protocol [ip]:

Target IP address: 192.168.49.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.10.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.49.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.1

.....

Success rate is 0 percent (0/5)

UC540#

Any idea?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to kmmehlkmmehl

‎07-21-2010 10:05 AM

If you have ACL assigned to the interface, you would be able to just remove the ACL from the interface. Alternatively, if you are using ZBFW, you can take the zone member out of all interfaces (pls make sure that you take it out from all interfaces, otherwise, your traffic will not pass through the router between some interfaces, plus if you have ZBFW, remove the zone member by consoling to the router as you might be locked out of the router if you remove some of the zone member first while telneting or SSH into the router).

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎07-21-2010 08:55 AM

Base on the ipsec sa output, there are traffic being encrypted and decrypted, which means VPN tunnel is actually up and running.

I would check to see if you have ACL or Zone base firewall configured on the UC500 router that might be blocking the ICMP Reply.

0 Helpful

Go to solution
kmmehlkmmehl
Level 1
Level 1
In response to Jennifer Halim

‎07-21-2010 09:41 AM

hi

actually i disabled all "denys" for testing in my acl -> i am testing now the other side.

any way to complete disable that for testing?

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to kmmehlkmmehl

‎07-21-2010 10:05 AM

If you have ACL assigned to the interface, you would be able to just remove the ACL from the interface. Alternatively, if you are using ZBFW, you can take the zone member out of all interfaces (pls make sure that you take it out from all interfaces, otherwise, your traffic will not pass through the router between some interfaces, plus if you have ZBFW, remove the zone member by consoling to the router as you might be locked out of the router if you remove some of the zone member first while telneting or SSH into the router).

0 Helpful

Go to solution
kmmehlkmmehl
Level 1
Level 1
In response to Jennifer Halim

‎07-21-2010 04:45 PM

thanks mate

that was it .. it was missing in the ACL for route map to nat int

now it works!

awesome!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents