I am having issue with one of the IPSec tunnel, I have tried every thing I could but the phase of IPSec is not encrypting or encapsulating, however doing the decryption and decap with no issue, so traffic pretty much looks like unidirectional now, I have checked the configure almost 5 times but I cannot see any issue in the configs on both ends either, so here is the scenario.
Lets say, Site A is NYC and and Site B is Sydney
Site A is connected to Site B via IPSec and some other Sites but,
Site B is encrypting and encapsulating the traffic but not Site A
Site A is decrypting and encapsulation the traffic but not Sire B
Please let me know if any troubleshooting step you may think, will be useful,
Funny thing is, when I do the packet tracer for the ICMP or TCP/UDP between the hosts on both sides, they result is always allowed, but when I ping from the one host to another or RDP, it never worked. :(
Any help would be really appreciated.
let me know if you need to verify the config first, before making a comment
A typical config-mistake that shows this symptom is to have NAT-exemption done wrong. In Packet-tracer this can also result in an "allow", but if you look at the details you see that the traffic is natted and the VPN-section in packet-tracer is not hit.
Double-check that the traffic uses the right NAT-rule and that after NAT the source-address still matches your crypto-definition of the tunnel.
-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
No dude, I have checked every thing on the NAT side and even I lined up all the access rule into the numerical order for nat 0 access list but nothing made any difference, I created another, just to verify and the new tunnel has the same issue...so the issue is in Sydney, but this is the who is encrypting and encapsulating but not decryp and decap.
But issue has now been resolved by upgrading the Site A from Version 8.2(1) to Version 8.2(5)
I have no idea how did it happen, or was there any bug with 8.2(1) that was causing the issue but one of my colleague did the upgrade and tunnel came back up.
The issue other with the other firewall was because of two interesting traffic going across on the same location with the redundant IP which is no longer exist, so as soon as we delete the redundant one, tunnel came back up.
Let me know your thought on this please, what do you think ?
This is a bug in the 8.2(1) software atleast and possibly some other maintanance releases of the 8.2.
We have had this happen on 3 different VPN platforms in the past. The issue simply is that the ASA stops encrypting traffic but the decrypted traffic from the remote host/site will continue to come through the VPN normally.
I don't have the bug ID at hand but I could try and take a look if I can find it.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :