I have a site to site VPN tunnel in Cisco ASA. I can see decrypt packet in the tunnel but encrypt packet is showing zero.I have verified all the configuration and compared it with peer side but can't understand the reason of such behavior. Please help.
I assume that the tunnel is already up and traffic is not being passed between a few networks but is ok between some others in the encryption domain.
This normally indicates one way traffic. If you cant encrypt it means that the issue is at your end. It's probably an issue with return traffic Please check if routing etc is all good and also if possible please post the config here. And also if possible your topology
The problem is that the far end can connect any IP address from subnet 10.50.6.64/26 except host 10.50.6.84. I can see successful encrypt & decrypt packets for other IPs but no encrypt packet from10.50.6.84 to 192.168.2.4 ,only decrypt packet I can see from 192.168.2.4 to 10.50.6.84. I ran capture in Cisco ASA to see reverse packet and I could see reverse packet from 10.50.6.84 to192.168.2.4 but don;t know where packets go before getting into tunnel.
There was an embedded IP for a database in my server 172.19.16.9(IP of the embedded database was 172.19.16.10).
Whenever I tried to generate traffic from 172.19.16.9, the traffic never brought the tunnel up. Once I tried generating traffic from 172.19.16.10(some unix command like ping -i 172.19.16.10(src) 22.214.171.124(dst) or something that allowed me to ping from the source 172.19.16.10, which is the DB), traffic was generated and the tunnel came up.
If you are having a similar scenario, then you ought to try it in the way I did. Sometimes you need to generate traffic from both ends of the tunnel to bring it up. Happened to me and I spend around a day figuring that out.
Can you see the return traffic frm the server on the Juniper FW? What I would do for testing is to just ping the remote server(192.168.2.4) from your server (10.50.6.84) and see if they actually hit the JuniperFW. if its good then you need to check if there are any exceptions for this ip address and all. Is anti-spoofing disabled and all on the FW. once your FW is given the clean chit then you can troubleshoot the VPN concentrator. Do a trace from your server to the remote end and see where it stops.
Just because you allowed /26 in the encryptino domain doesnt mean that all traffic can reach all the host on that subnet. The firewall should allow all that to happen.
Your ASA config looks pretty good in terms on the IKE and IPsec settings.
Packets are moving fine through all firewalls as I took etheral packet capture in switch located between Cisco ASA & Juniper FW and could see syn-ack packet from server to client but in the same time no packet encryption count change happened in Cisco ASA.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...