Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
553
Views
0
Helpful
3
Replies

IPSEC l2l connection up but MTU sizes are different and no access to server

Mrkaprino
Level 1
Level 1

‎02-20-2007 07:24 AM - edited ‎02-21-2020 02:53 PM

Hi,

Our other office just moved and we setup a the new VPN l2l connection for the new office with two PIX 515e hardware. I am run PIX 7.0(4). when I run show crypto ipsec sa, I see it is up, but I can not reach the servers on the other side. We did notice the remote office's MTU size is 1400 only for the VPN connection, whil the interface is set to 1500. Could that be issues? I also check the crypto match access list and counters are incrementing.

show access-list XO_cryptomap_40_1

access-list XO_cryptomap_40_1; 3 elements

access-list XO_cryptomap_40_1 line 1

access-list XO_cryptomap_40_1 line 2 extended permit ip 10.13.36.0 255.255.254.0 10.2.0.0 255.255.192.0 (hitcnt=47)

access-list XO_cryptomap_40_1 line 3

access-list XO_cryptomap_40_1 line 4 extended permit ip 172.16.1.0 255.255.255.0 10.2.0.0 255.255.192.0 (hitcnt=15)

access-list XO_cryptomap_40_1 line 5

access-list XO_cryptomap_40_1 line 6 extended permit ip 172.16.2.0 255.255.255.0 10.2.0.0 255.255.192.0 (hitcnt=0)

PIX-FW# show crypto ipsec sa

interface: XO

Crypto map tag: XO_map, seq num: 40, local addr: XX.XX.XX.XX

access-list XO_cryptomap_40_1 permit ip 172.16.1.0 255.255.255.0 10.2.0.0 255.255.192.0

local ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.2.0.0/255.255.192.0/0/0)

current_peer: XX.XX.XX.XX

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 17, #pkts decrypt: 17, #pkts verify: 17

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: xx.xx.xx.xx

path mtu 1500, ipsec overhead 60, media mtu 1500

current outbound spi: XXXXX

inbound esp sas:

spi: 0xXXXXXX (XXXXXXXXXX)

transform: esp-3des esp-md5-hmac

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 12, crypto-map: XO_map

sa timing: remaining key lifetime (kB/sec): (3824999/1367)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xXXXXXXXX (xxxxxxxxx)

transform: esp-3des esp-md5-hmac

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 12, crypto-map: XO_map

sa timing: remaining key lifetime (kB/sec): (3825000/1365)

IV size: 8 bytes

replay detection support: Y

Crypto map tag: XO_map, seq num: 40, local addr: XX.XX.XX.XX

access-list XO_cryptomap_40_1 permit ip 10.13.36.0 255.255.254.0 10.2.0.0 255.255.192.0

local ident (addr/mask/prot/port): (10.13.36.0/255.255.254.0/0/0)

remote ident (addr/mask/prot/port): (10.2.0.0/255.255.192.0/0/0)

current_peer: XX.XX.XX.XX

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: XX.XX.XX.XX, remote crypto endpt.: XX.XX.XX.XX path mtu 1500, ipsec overhead 60, media mtu 1500

current outbound spi: XXXXXXX

inbound esp sas:

spi: 0xDXXXXXXX (XXXXXXXXX)

transform: esp-3des esp-md5-hmac

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 12, crypto-map: XO_map

sa timing: remaining key lifetime (kB/sec): (3824999/2218)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x3XXXXXXX (XXXXXXXXXXX)

transform: esp-3des esp-md5-hmac

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 12, crypto-map: XO_map

sa timing: remaining key lifetime (kB/sec): (3825000/2218)

IV size: 8 bytes

replay detection support: Y

Labels:
0 Helpful
3 Replies 3

Mrkaprino
Level 1
Level 1

‎02-20-2007 07:44 AM

Also the show ipsec stats show that the inbound and outbound data is incrementing as well. Any help would be greatly appreciated.

Thanks,

Kap

show ipsec stats

IPsec Global Statistics

-----------------------

Active tunnels: 1

Previous tunnels: 371

Inbound

Bytes: 832734215

Decompressed bytes: 832734215

Packets: 6338989

Dropped packets: 7

Replay failures: 0

Authentications: 6338982

Authentication failures: 7

Decryptions: 6338982

Decryption failures: 0

Outbound

Bytes: 1651752913

Uncompressed bytes: 1651752913

Packets: 8060482

Dropped packets: 0

Authentications: 8060482

Authentication failures: 0

Encryptions: 8060482

Encryption failures: 0

Protocol failures: 0

Missing SA failures: 0

System capacity failures: 0

0 Helpful

Mrkaprino
Level 1
Level 1
In response to Mrkaprino

‎02-20-2007 09:09 AM

Acutally on hte inbound data is incremteenting, I am not able to get any outbound data incrementing.

0 Helpful

Mrkaprino
Level 1
Level 1
In response to Mrkaprino

‎02-20-2007 12:48 PM

nevemind we resolve the issue, seems like there is a conflict from the XO_map 40 and another XO_map 20. Why is that the case, since they each have been assigned to a diffrent peer ?

Anywa i remove XXO-map20 completey and it resolve all my VPN issues.

0 Helpful
Customers Also Viewed These Support Documents