Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec - No packets are encryp but decryp

Hi All,

I am having issue with one of the IPSec tunnel, I have tried every thing I could but the phase of IPSec is not encrypting or encapsulating, however doing the decryption and decap with no issue, so traffic pretty much looks like unidirectional now, I have checked the configure almost 5 times but I cannot see any issue in the configs on both ends either, so here is the scenario.

Lets say, Site A is NYC and and Site B is Sydney

 

Site A is connected to Site B via IPSec and some other Sites but, 

Site B is encrypting and encapsulating the traffic but not Site A

Site A is decrypting and encapsulation the traffic but not Sire B

 

Please let me know if any troubleshooting step you may think, will be useful,

Funny thing is, when I do the packet tracer for the ICMP or TCP/UDP between the hosts on both sides, they result is always allowed, but when I ping from the one host to another or RDP, it never worked. :(

Any help would be really appreciated.

 

let me know if you need to verify the config first, before making a comment

Thanks

M

 

Everyone's tags (2)
6 REPLIES
VIP Purple

A typical config-mistake that

A typical config-mistake that shows this symptom is to have NAT-exemption done wrong. In Packet-tracer this can also result in an "allow", but if you look at the details you see that the traffic is natted and the VPN-section in packet-tracer is not hit.

Double-check that the traffic uses the right NAT-rule and that after NAT the source-address still matches your crypto-definition of the tunnel.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Thanks for the reply, I faced

Thanks for the reply, I faced that NAT issue before but it was with the 9.0 ASA version which has before or after auto thing, but here I am using the ASA both below 8.3 versions

which has No NAT rules and I added the access-list along with the current one. but yeah let me check again.

thanks

 

New Member

No dude, I have checked every

No dude, I have checked every thing on the NAT side and even I lined up all the access rule into the numerical order for nat 0 access list but nothing made any difference, I created another, just to verify and the new tunnel has the same issue...so the issue is in Sydney, but this is the who is encrypting and encapsulating but not decryp and decap.

 

any idea ?

VIP Purple

can you show the counters

can you show the counters from "sh vpn-sessiondb det l2l" of both boxes? And what's the output of packet-tracer on the device that doesn't encrypt for traffic matching the tunnel? 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Thanks Karten,  But issue has

Thanks Karten, 

 

But issue has now been resolved by upgrading the Site A from Version 8.2(1) to Version 8.2(5)

 

I have no idea how did it happen, or was there any bug with 8.2(1) that was causing the issue but one of my colleague did the upgrade and tunnel came back up. 

 

The issue other with the other firewall was because of two interesting traffic going across on the same location with the redundant IP which is no longer exist, so as soon as we delete the redundant one, tunnel came back up. 

Let me know your thought on this please, what do you think ? 

 

Super Bronze

Hi, This is a bug in the 8.2

Hi,

 

This is a bug in the 8.2(1) software atleast and possibly some other maintanance releases of the 8.2.

 

We have had this happen on 3 different VPN platforms in the past. The issue simply is that the ASA stops encrypting traffic but the decrypted traffic from the remote host/site will continue to come through the VPN normally.

 

I don't have the bug ID at hand but I could try and take a look if I can find it.

 

- Jouni

157
Views
0
Helpful
6
Replies
CreatePlease login to create content