cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3626
Views
0
Helpful
5
Replies

No encrypt packet with VPN tunnel

samarjitdas
Level 1
Level 1

I have a site to site VPN tunnel in Cisco ASA. I can see decrypt packet in the tunnel but encrypt packet is showing zero.I have verified all the configuration and compared it with peer side but can't understand the reason of such behavior. Please help.

5 Replies 5

Hi samarjit,

I assume that the tunnel is already up and traffic is not being passed between a few networks but is ok between some others in the encryption domain.

This normally indicates one way traffic. If you cant encrypt it means that the issue is at your end. It's probably an issue with return traffic Please check if routing etc is all good and also if possible please post the config here. And also if possible your topology

HTH

Regards

Kishore

Here is my configuration:

crypto isakmp policy 41

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

crypto ipsec transform-set PAY esp-3des esp-md5-hmac

crypto map outside_map 2 match address test

crypto map outside_map 2 set peer x.x.x.x

crypto map outside_map 2 set transform-set PAY

crypto map outside_map 2 set security-association lifetime seconds 28800

access-list test line 1 extended permit ip 10.50.6.64 255.255.255.192 host 192.168.2.4

INTERNET-RT------>INTERNET-SW------->VPN_GW(CISCO ASA) ------->SW------->JUNIPER-FW----->SW----SERVER

The problem is that the far end can connect any IP  address from subnet 10.50.6.64/26 except host 10.50.6.84. I can see  successful encrypt & decrypt packets for other IPs but no encrypt  packet from10.50.6.84 to 192.168.2.4 ,only decrypt packet I can see from  192.168.2.4 to 10.50.6.84. I ran capture in Cisco ASA to see reverse  packet and I could see reverse packet from 10.50.6.84 to192.168.2.4 but  don;t know where packets go before getting into tunnel.

I dont know whether this might help you.

There was an embedded IP for a database in my server 172.19.16.9(IP of the embedded database was 172.19.16.10).

Whenever I tried to generate traffic from 172.19.16.9, the traffic never brought the tunnel up. Once I tried generating traffic from 172.19.16.10(some unix command like ping -i 172.19.16.10(src) 58.68.109.39(dst) or something that allowed me to ping from the source 172.19.16.10, which is the DB), traffic was generated and the tunnel came up.

If you are having a similar scenario, then you ought to try it in the way I did. Sometimes you need to generate traffic from both ends of the tunnel to bring it up. Happened to me and I spend around a day figuring that out.

HTH

Cheers

Arun Nair

Hi samarjit,

Can you see the return traffic frm the server on the Juniper FW? What I would do for testing is to just ping the remote server(192.168.2.4) from your server (10.50.6.84) and see if they actually hit the JuniperFW. if its good then you need to check if there are any exceptions for this ip address and all. Is anti-spoofing disabled and all on the FW. once your FW is given the clean chit then you can troubleshoot the VPN concentrator. Do a trace from your server to the remote end and see where it stops.

Just because you allowed /26 in the encryptino domain doesnt mean that all traffic can reach all the host on that subnet.  The firewall should allow all that to happen.

Your ASA config looks pretty good in terms on the IKE and IPsec settings.

HTH

Kishore

Packets are moving fine through all firewalls as I took etheral packet capture in switch located between Cisco ASA & Juniper FW and could see syn-ack packet from server to client but in the same time no packet encryption count change happened in Cisco ASA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: