Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

No encrypt packet with VPN tunnel

I have a site to site VPN tunnel in Cisco ASA. I can see decrypt packet in the tunnel but encrypt packet is showing zero.I have verified all the configuration and compared it with peer side but can't understand the reason of such behavior. Please help.

5 REPLIES

No encrypt packet with VPN tunnel

Hi samarjit,

I assume that the tunnel is already up and traffic is not being passed between a few networks but is ok between some others in the encryption domain.

This normally indicates one way traffic. If you cant encrypt it means that the issue is at your end. It's probably an issue with return traffic Please check if routing etc is all good and also if possible please post the config here. And also if possible your topology

HTH

Regards

Kishore

New Member

No encrypt packet with VPN tunnel

Here is my configuration:

crypto isakmp policy 41

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key *

crypto ipsec transform-set PAY esp-3des esp-md5-hmac

crypto map outside_map 2 match address test

crypto map outside_map 2 set peer x.x.x.x

crypto map outside_map 2 set transform-set PAY

crypto map outside_map 2 set security-association lifetime seconds 28800

access-list test line 1 extended permit ip 10.50.6.64 255.255.255.192 host 192.168.2.4

INTERNET-RT------>INTERNET-SW------->VPN_GW(CISCO ASA) ------->SW------->JUNIPER-FW----->SW----SERVER

The problem is that the far end can connect any IP  address from subnet 10.50.6.64/26 except host 10.50.6.84. I can see  successful encrypt & decrypt packets for other IPs but no encrypt  packet from10.50.6.84 to 192.168.2.4 ,only decrypt packet I can see from  192.168.2.4 to 10.50.6.84. I ran capture in Cisco ASA to see reverse  packet and I could see reverse packet from 10.50.6.84 to192.168.2.4 but  don;t know where packets go before getting into tunnel.

New Member

No encrypt packet with VPN tunnel

I dont know whether this might help you.

There was an embedded IP for a database in my server 172.19.16.9(IP of the embedded database was 172.19.16.10).

Whenever I tried to generate traffic from 172.19.16.9, the traffic never brought the tunnel up. Once I tried generating traffic from 172.19.16.10(some unix command like ping -i 172.19.16.10(src) 58.68.109.39(dst) or something that allowed me to ping from the source 172.19.16.10, which is the DB), traffic was generated and the tunnel came up.

If you are having a similar scenario, then you ought to try it in the way I did. Sometimes you need to generate traffic from both ends of the tunnel to bring it up. Happened to me and I spend around a day figuring that out.

HTH

Cheers

Arun Nair

No encrypt packet with VPN tunnel

Hi samarjit,

Can you see the return traffic frm the server on the Juniper FW? What I would do for testing is to just ping the remote server(192.168.2.4) from your server (10.50.6.84) and see if they actually hit the JuniperFW. if its good then you need to check if there are any exceptions for this ip address and all. Is anti-spoofing disabled and all on the FW. once your FW is given the clean chit then you can troubleshoot the VPN concentrator. Do a trace from your server to the remote end and see where it stops.

Just because you allowed /26 in the encryptino domain doesnt mean that all traffic can reach all the host on that subnet.  The firewall should allow all that to happen.

Your ASA config looks pretty good in terms on the IKE and IPsec settings.

HTH

Kishore

New Member

No encrypt packet with VPN tunnel

Packets are moving fine through all firewalls as I took etheral packet capture in switch located between Cisco ASA & Juniper FW and could see syn-ack packet from server to client but in the same time no packet encryption count change happened in Cisco ASA.

2136
Views
0
Helpful
5
Replies