Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
ameen.ahmed
ameen.ahmed
Community Member
‎09-19-2013 09:21 AM
‎09-19-2013 09:21 AM

IPSec traffic is encrypted only from one side - why?

Hi Friends,

I've created a site to site VPN between cisco devices. VPN tunnels are coming up, but traffic is getting encryted only at side.

Anyone any idea why it's?

Output from local device:

Router#show crypto isa

CRPvtMUScingh01#show crypto isakmp sa | in 204.75.145.14

216.143.142.69  204.75.145.14   QM_IDLE             33    0 ACTIVE

Router#sh crypto ipsec sa | be 204.75.145.14

   current_peer 204.75.145.14 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 216.143.142.69, remote crypto endpt.: 204.75.145.14

     path mtu 1412, ip mtu 1412

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 216.143.142.69, remote crypto endpt.: 204.75.144.14

     path mtu 1412, ip mtu 1412

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (205.173.92.5/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (204.75.145.138/255.255.255.255/0/0)

   current_peer 204.75.145.14 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 36, #pkts decrypt: 36, #pkts verify: 36

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 216.143.142.69, remote crypto endpt.: 204.75.145.14

     path mtu 1412, ip mtu 1412

     current outbound spi: 0x111D7A8E(287144590)

     inbound esp sas:

      spi: 0x86F5054A(2264204618)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3085, flow_id: Onboard VPN:85, crypto map: geshared

        sa timing: remaining key lifetime (k/sec): (4378030/3492)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x111D7A8E(287144590)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 3048, flow_id: Onboard VPN:48, crypto map: geshared

        sa timing: remaining key lifetime (k/sec): (4378031/3492)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Output from remote devcie:

ud1-vpn-rtr01a#sh cry isa sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

216.143.142.69  204.75.145.14   QM_IDLE          14566 ACTIVE

ud1-vpn-rtr01a#sh cry ses bri

Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating

        K - No IKE

ivrf = (none)

           Peer     I/F        Username          Group/Phase1_id   Uptime Status

216.143.142.69   Gi0/2                           216.143.142.69 00:08:55    UA

ud1-vpn-rtr01a#sh cry ipsec sa peer 216.143.142.69

interface: GigabitEthernet0/2

    Crypto map tag: SMS, local addr 204.75.145.14

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (204.75.145.138/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (205.173.92.5/255.255.255.255/0/0)

   current_peer 216.143.142.69 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

Labels:
0 Helpful
Reply
5 REPLIES
npokhriy
npokhriy Silver
Silver
‎09-19-2013 12:04 PM
‎09-19-2013 12:04 PM

IPSec traffic is encrypted only from one side - why?

Hi Ameen,

Please Check your nat-exempt statements on local device. It seems that packet is coming on this device but reply is not going back.

you can take captures on inside interface of local device to check whether packet is coming back to inside interface or not.

You can check your internal routing as well.

If possible, share your configuration froim local device.

Regards,

Naresh

0 Helpful
Reply
Marvin Rhoads
Hall of Fame Super Silver Marvin Rhoads Hall of Fame Super Silver
Hall of Fame Super Silver
‎09-19-2013 07:47 PM
‎09-19-2013 07:47 PM

IPSec traffic is encrypted only from one side - why?

Naresh's advice is good.

The most common cause I would see is that the local site's routing is not sending the return traffic back into the ASA for encapsulation into the VPN tunnel.

0 Helpful
Reply
ameen.ahmed
ameen.ahmed
Community Member
‎09-20-2013 04:46 AM
‎09-20-2013 04:46 AM

IPSec traffic is encrypted only from one side - why?

Thanks for your helps. Device configurations are below:-

Router#

!

crypto ipsec transform-set xyz esp-3des esp-sha-hmac

!

crypto isakmp key ABC-Main address 30.30.30.10

crypto isakmp key ABC-DR address 30.30.30.20

!

crypto map abcdefg 260 ipsec-isakmp

description *** VPN Tunnel - To Main location ***

set peer 30.30.30.10

set transform-set xyz

match address Main-ABC

!

crypto map abcdefg 270 ipsec-isakmp

description *** VPN Tunnel - To DR location ***

set peer 30.30.30.20

set transform-set xyz

match address DR-ABC

!

ip route 30.30.30.10 255.255.255.255 20.20.20.1 name main-peer

ip route 30.30.30.20 255.255.255.255 20.20.20.1 name DR-peer

!

ip route 10.10.10.5 255.255.255.255 20.20.20.1 name towards-remote-site

!

ip route 192.168.20.31 255.255.255.255 192.168.1.5 name towards-firewall

!

ip access-list extended Main-ABC

remark *** VPN Tunnel - To Main location ***

permit ip host 192.168.20.31 host 10.10.10.5

!

ip access-list extended DR-ABC

remark *** VPN Tunnel - To DR location ***

permit ip host 192.168.20.31 host 10.10.10.5

!

!

Firewall#

!

static (inside,outside) 192.168.20.31 15.10.10.5 netmask 255.255.255.255           - NAT for inside server

!

static (outside,inside) 15.20.20.5 10.10.10.5 netmask 255.255.255.255          - NAT for remote server

!

route outside 10.10.10.5 255.255.255.255 192.168.1.10          ! towards Router

!

object-group service tcp_service tcp

port-object eq 3389

port-object eq 443

port-object eq 21

!

object-group service udp_service udp

port-object eq 161

port-object eq 162

!

object-group network source

network-object host 10.10.10.5

!

object-group network destination

network-object host 192.168.20.31

!

access-list on-outside-to-in extended permit tcp object-group source object-group destination object-group tcp_service

access-list on-outside-to-in extended permit udp object-group source object-group destination object-group udp_service

access-list on-outside-to-in extended permit icmp object-group source object-group destination object-group ICMP-ALLOWED

!

!

0 Helpful
Reply
ameen.ahmed
ameen.ahmed
Community Member
‎09-20-2013 04:53 AM
‎09-20-2013 04:53 AM

IPSec traffic is encrypted only from one side - why?

On both sides, we use Cisco router as VPN peers.

0 Helpful
Reply
ameen.ahmed
ameen.ahmed
Community Member
‎09-23-2013 04:54 AM
‎09-23-2013 04:54 AM

IPSec traffic is encrypted only from one side - why?

Any idea friends?

0 Helpful
Reply
Latest Documents
Snort IPS on ISR, ISRv and CSR - Step-By-Step Configuration
Created by Kureli Sankar on 04-19-2018 11:25 AM
0
0
0
0
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin... view more
Upgrade Chassis Manager (FXOS)
Created by Jeet Kumar on 02-23-2018 02:51 AM
2
15
2
15
    Login to the FXOS chassis manager. Direct your browser to https://hostname/, and log-in using the user-name and password.     Go to Help > About and check the current version:    Check the current version availa... view more
ASA 5506-X with ipv6 no access to internet
Created by Klaxel on 02-08-2018 01:25 AM
3
5
3
5
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6. In Syslog I also se... view more
All Documents
1411
Views
0
Helpful
5
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
AnyConnect Certificate Based Authentication.
Created by Marvin Ruiz on 08-27-2012 05:20 PM
36
70
36
70
BLOG (No Title)
Created by athukral on 06-14-2011 04:23 AM
15
35
15
35
Wireless Hacking
Created by Anim Saxena on 01-24-2013 07:56 AM
2
20
2
20
All Blogs