Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC connection to foreign system trouble

Hello!

I am doing a IPSEC to an astaro V7 at a customers site

origin is a UC540 with IOS 15

I see the Tunnel "green" on the astaro .... so its ok, but no packets are going through:

UC540#show crypto ipsec sa

interface: FastEthernet0/0

    Crypto map tag: CISCO, local addr x.x.x.202

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.49.0/255.255.255.0/0/0)

   current_peer x.x.x.8 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 39, #pkts encrypt: 39, #pkts digest: 39

    #pkts decaps: 40, #pkts decrypt: 40, #pkts verify: 40

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0xABA3137B(2879591291)

     PFS (Y/N): Y, DH group: group2

     inbound esp sas:

      spi: 0x349B38CE(882587854)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 18, flow_id: Onboard VPN:18, sibling_flags 80000046, crypto map: CISCO

        sa timing: remaining key lifetime (k/sec): (4586494/835)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xABA3137B(2879591291)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 19, flow_id: Onboard VPN:19, sibling_flags 80000046, crypto map: CISCO

        sa timing: remaining key lifetime (k/sec): (4586494/835)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

UC540#

UC540#ping 192.168.49.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.49.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

UC540#ping

Protocol [ip]:

Target IP address: 192.168.49.1

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 192.168.10.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.49.1, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.1

.....

Success rate is 0 percent (0/5)

UC540#

Any idea?

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: IPSEC connection to foreign system trouble

If you have ACL assigned to the interface, you would be able to just remove the ACL from the interface. Alternatively, if you are using ZBFW, you can take the zone member out of all interfaces (pls make sure that you take it out from all interfaces, otherwise, your traffic will not pass through the router between some interfaces, plus if you have ZBFW, remove the zone member by consoling to the router as you might be locked out of the router if you remove some of the zone member first while telneting or SSH into the router).

4 REPLIES
Super Bronze

Re: IPSEC connection to foreign system trouble

Base on the ipsec sa output, there are traffic being encrypted and decrypted, which means VPN tunnel is actually up and running.

I would check to see if you have ACL or Zone base firewall configured on the UC500 router that might be blocking the ICMP Reply.

New Member

Re: IPSEC connection to foreign system trouble

hi

actually i disabled all "denys" for testing in my acl -> i am testing now the other side.

any way to complete disable that for testing?

Super Bronze

Re: IPSEC connection to foreign system trouble

If you have ACL assigned to the interface, you would be able to just remove the ACL from the interface. Alternatively, if you are using ZBFW, you can take the zone member out of all interfaces (pls make sure that you take it out from all interfaces, otherwise, your traffic will not pass through the router between some interfaces, plus if you have ZBFW, remove the zone member by consoling to the router as you might be locked out of the router if you remove some of the zone member first while telneting or SSH into the router).

New Member

Re: IPSEC connection to foreign system trouble

thanks mate

that was it .. it was missing in the ACL for route map to nat int

now it works!

awesome!

251
Views
0
Helpful
4
Replies