Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

L2L VPN traffic is not leaving on tunnel

Hello Experts,

We have a Site to site VPN set up to client and a new IP 67.22.X.X is been added over the VPN tunnel recently at both the sides. i do see successfull Phase 2 tunnel up for the 67.22.X.X

but the encry/encaps are not incrementing over the tunnel if i generate a traffic via Packet-tracer.Unfortunately, i couldnt generate traffic from 67.22.X.X as it is a printer.But client says they do see the traffic Leaving their side tunnel when they try to access Printer(67.22.X.X) but i donot see anything on my side.

Kindly, help me on this.

-ASAVPN201A# packet-tracer input Inside icmp 10.224.128.88 8 0 170.23.X.X

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.224.128.88 obj-67.22.X.X destination static XX_REMOTE XX_REMOTE description
Additional Information:
Static translate 10.224.128.88/0 to 67.22.X.X/0

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 409065573, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

-ASAVPN201A#

-ASAVPN201A# sh crypto ipsec sa peer 170.232.X.X | beg 67.22.X.X
access-list outside_cryptomap_520 extended permit ip host 67.22.X.X host 170.23.X.X
local ident (addr/mask/prot/port): (67.22.X.X/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (170.23.X.X/255.255.255.255/0/0)
current_peer: 170.23.X.X

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 67.223.63.1/0, remote crypto endpt.: 170.232.32.14/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: DE0F8FBD
current inbound spi : 3F762BC5

inbound esp sas:
spi: 0x3F762BC5 (1064709061)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 244334592, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28554)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xDE0F8FBD (3725561789)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 244334592, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28554)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

2 REPLIES
VIP Purple

L2L VPN traffic is not leaving on tunnel

Check your NAT rules.

Community Member

L2L VPN traffic is not leaving on tunnel

Here is the nat rule..

Whe i run the packet tracer from source to destination the packets are allowed and moving through the required nat statement and also the trasnslations are getting incremented everytime i run the packet tracer whcih means the translation is happening fine here (Nat exemption is not required here as we are natting inside host to Outside global IP). What else  you require here, let me know i will provide you?

nat (inside,outside) source static obj-10.224.128.88 obj-67.22.X.X destination static XX_REMOTE XX_REMOTE description

Additional Information:

Static translate 10.224.128.88/0 to 67.22.X.X/0

-ASAVPN201A#              sh nat translated 67.223.X.X

Manual NAT Policies (Section 1)

1 (inside) to (outside) source static obj-10.224.128.88 obj-67.223.62.200 destination static WARD_REMOTE WARD_REMOTE

    translate_hits = 14, untranslate_hits = 22

-ASAVPN201A# packet-tracer input Inside icmp 10.224.128.88 8 0 170.23.X.X

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.224.128.88 obj-67.22.X.X destination static XX_REMOTE XX_REMOTE description
Additional Information:
Static translate 10.224.128.88/0 to 67.22.X.X/0

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 409065573, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

105
Views
0
Helpful
2
Replies
CreatePlease to create content