IPSec l2l packet tracer type vpn subtype encrypt result DROP
Doesn't look like a NAT issue. A previous step in the trace shows the traffic being no-natted
I have a rule matching a whole load of internal networks going to the required destinations and applying a no nat. During the trace it matches this rule.
I then created a specific rule for a test source and moved it to the top of the nat rules. Trace then matches that NAT rule but still drops at the same stage as in my initial post.
It does seem it's a failure to match the ACL for encrypting traffic but again I have checked and the source and destination are in that ACL.
As a test I labbed a tunnel with mismatching ACL entries at each end. The test was on PIX's but when I had an ACL at one end with a host to host entry and the ACL at the other end with /24 subnets as source and destination the traffic got matched and passed through the tunnel.
From my knowledge I cannot guide you to a fixed direction with provided information. Please make sure that following conditions are met:
when final packet reaches the outside interface policy and crypto engine its source, destination IP, port, protocol match with correct crypto map entry. What I mean is:
recheck you NAT exempt or nating(depending upon your crypto acl)
recheck that crypto ACL of another crypto map entry doesnt include same remote network as teh one you are trying to add.
It should be permitted in VPN filter if there are any.
Please check show vpn-sessiondb detail L2L filter ipadd to check which group-policy is used for this VPN connection. show run all group-policy . VPN-filter would, I believe, be there in show crypto IPSEC as well as vpn-sessiondb as well.
Unless the tunnel comes up it will stil show drop in packet tracer. if none of these are the reason, after verifying crypto ACL with remote site. clear ipsec sa for this tunnel is definitely one thing you can try.
So this is a no nat on the test address I am using in the new subnet, 172.26.22.0
I can see the no nat translation hits incrementing as I send test traffic. I can also see the inside ACL and crypto ACL entries incrementing with test traffic. Is the trace misleading ? If I do a trace on traffic already using the tunnel I get a success but if I do it on traffic allowed on the tunnel but not currently using it I get the VPN drop. So this takes me back to the debug error
Received non-routine Notify message: Invalid ID info (18)
Does that mean I received the message from the IPSec peer and it is not allowing the tunnel to come up with the new traffic ?
The problem is usually this. Either you have something in your encryption domain that doesn't belong there or you have something in your encryption domain that needs to be routed out someplace else outside of ur tunnel. IE; I just had the same problem for a week, I sit down tonight & it occurs to me that Host A is coming from 192.168.X.X & needs to get to a AWS_VPC that's in the cloud. In my environment that means the traffic would have to traverse 2 firewalls. The first is the VPN FW, however adding an acl with just the host that Host A needs by creating another group Remote_host(object-group network 192.168.27.15; object-group network 192.168.27.16). Then traffic was able to pass through just fine. Don't forget to add a route for your remote host back to the fw the acl resides. In my case both fw's. Hope this helps someone out. While I agree with what others have said here somewhat. But my experience has been, ya got something wrong in ur encryption domain. To prove it 2 urself just run on ur ASA sh crypto IPsec sa peer xxx.xxx.xxx.xxx (where x's are ur peer's ip) If u don't see an ip for something the remote side is trying to reach theres ur answer.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :