Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Phase 2 fails on encapsulation....but remote end can ping me successfully

Hi there,

I have not been successful in setting-up this VPN for over 2 months now, despite escalating to senior support in my company.Attached is the config from mye end.

Scenario: Phase 1 completes successfully but phase 2 fails on encapsulation as the below ASA log shows:

Any idea what could be the cause...???

strange enough the remote end are able to reach my test host 10.0.16.254 but I cannot reach their test host 172.18.31.51


tzdar01-ASA-01# sh crypto ipsec sa
interface: outside
    Crypto map tag: info2cellmap, seq num: 60, local addr: 196.46.122.1

      access-list huawei2_vpn permit ip host 10.0.16.254 172.18.31.48 255.255.255.240
      local ident (addr/mask/prot/port): (10.0.16.254/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (172.18.31.48/255.255.255.240/0/0)
      current_peer: 195.33.106.101

      #pkts encaps: 4511, #pkts encrypt: 4511, #pkts digest: 4511
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4511, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 196.46.122.1, remote crypto endpt.: 195.33.106.101

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 92EE9A18

    inbound esp sas:
      spi: 0xA5D6AFCD (2782310349)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 14732, crypto-map: info2cellmap
         sa timing: remaining key lifetime (sec): 2069
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x92EE9A18 (2465110552)
         transform: esp-3des esp-md5-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 14732, crypto-map: info2cellmap
         sa timing: remaining key lifetime (sec): 2060
         IV size: 8 bytes
         replay detection support: Y

Everyone's tags (4)
2 REPLIES
Cisco Employee

Re: Phase 2 fails on encapsulation....but remote end can ping me

Based on the show crypto ipsec sa output, the ASA end is sending traffic towards Huawei end, however, Huawei did not reply.

#pkts encaps: 4511  --> traffic is being encrypted towards Huawei end

#pkts decaps: 0 ---> nothing came back from Huawei

I would check on Huawei to make sure that they have NAT exemption correctly configured, and also get the equivalent of "show crypto ipsec sa" output of Huawei to check. If the decaps counters are increasing, and 0 for encaps, then it is more likely NAT exemption on Huawei end, or possibly access-list might be blocking the traffic.

On a side notes, pls double check with Huawei that they have mirror image ACL configured for crypto ACL (ACL specifying the interesting traffic).

ASA end has the followings:

access-list hua_vpn extended permit ip object-group huawei2_VPNin object-group huawei2_VPNout

Huawei end should have the following (with all objects included as configured on the ASA end):

access-list extended permit ip object-group huawei2_VPNout object-group huawei2_VPNin

Hope that helps.

New Member

Re: Phase 2 fails on encapsulation....but remote end can ping me

thanks,it makes great sense...

have requested for output from remote end, will update once I receive it.

878
Views
0
Helpful
2
Replies
CreatePlease to create content