Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPsec vpn qns

hi,

i have 2 questions on IPsec vpn

i have a asa running ipsec vpn (l2l) to remote site with network of 192.168.0.0/24

1> i can ping 192.168.0.1 but not 192.168.0.111. i had observed "recv errors" whenever i ping to 192.168.0.111.

i had observed recevied errors from "show crypto ipsec sa" output; but not since the tunnel reconnect (after timeout) and w/o any changes to the config.

what could be the cause and how can i troubleshoot, just in case the errors return? i cant find much info on the "recv errors".

2> i understand there are 2 acl required for a typical ipsec vpn; 1 for no NAT, 1 for crypto map match address

can i implement a acl to allow only 3389 tcp from the remote network to my local network on the asa?

thanks

cash

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: IPsec vpn qns

Hi Cash,

There is not much we can do here in regards to this isuse.

You can talk to your ISP and see if they are modifying the packets in any way.

Also ask them to check for any problems on the circuit.


Cheers,

Nash.

6 REPLIES
Bronze

Re: IPsec vpn qns

Hi Cash,

Receive errors are generally seen if the packet is malformed or if the packet is modified by an device on the transit path resulting in checksums failing and other stuff.

So, it is not such big a cause of concern and as you said on renegotiation the issue has been resolved.

As far as your question about TCP port 3389 is concerned, do you want to allow only TCP port 3389 across the VPN ?

If so, we could use VPN filters. It is a better idea and implementation as opposed to using 3389 in the crypto ACL.

The guide for setting up VPN filters on Cisco ASA is provided in the link below,

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Cheers,

Nash.

New Member

Re: IPsec vpn qns

hi,

i am getting the recv errors again. the other end seems to be having intermediate problem communicating w my local machines.

the ping (from remote end to local) failed. there are packets w invalid identity from show crypto ipsec sa detail.

am i missing something??

# show crypto ipsec sa detail
interface: outside
    Crypto map tag: mymap, seq num: 30, local addr:

      access-list permit ip 172.16.10.0 255.255.255.0 192.168.0.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
      current_peer:

      #pkts encaps: 7101, #pkts encrypt: 7101, #pkts digest: 7101
      #pkts decaps: 7542, #pkts decrypt: 6710, #pkts verify: 6710
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 7101, #pkts comp failed: 0, #pkts decomp failed: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 832, #pkts invalid len (rcv): 0
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: , remote crypto endpt.:

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 38C7E0BF

    inbound esp sas:
      spi: 0x8989134D (2307461965)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 24, crypto-map: mymap
         sa timing: remaining key lifetime (sec): 20728
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x38C7E0BF (952623295)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 24, crypto-map: mymap
         sa timing: remaining key lifetime (sec): 20728
         IV size: 8 bytes
         replay detection support: Y

Bronze

Re: IPsec vpn qns

Hi Cash,


Please go through my earlier message.

Cheers,


Nash.

New Member

Re: IPsec vpn qns

hi,

i am assuming you want me to refer to this line "Receive errors are generally seen if the packet is malformed or if the  packet is modified by an device on the transit path resulting in  checksums failing and other stuff.".

but how can i resolve this? or troubleshoot?

regards

Bronze

Re: IPsec vpn qns

Hi Cash,

There is not much we can do here in regards to this isuse.

You can talk to your ISP and see if they are modifying the packets in any way.

Also ask them to check for any problems on the circuit.


Cheers,

Nash.

New Member

Re: IPsec vpn qns

whoa.

this is a bit tricky for me, since both sites are in different countries.

955
Views
0
Helpful
6
Replies