Re: Phase 2 fails on encapsulation....but remote end can ping me
Based on the show crypto ipsec sa output, the ASA end is sending traffic towards Huawei end, however, Huawei did not reply.
#pkts encaps: 4511 --> traffic is being encrypted towards Huawei end
#pkts decaps: 0 ---> nothing came back from Huawei
I would check on Huawei to make sure that they have NAT exemption correctly configured, and also get the equivalent of "show crypto ipsec sa" output of Huawei to check. If the decaps counters are increasing, and 0 for encaps, then it is more likely NAT exemption on Huawei end, or possibly access-list might be blocking the traffic.
On a side notes, pls double check with Huawei that they have mirror image ACL configured for crypto ACL (ACL specifying the interesting traffic).
ASA end has the followings:
access-list hua_vpn extended permit ip object-group huawei2_VPNin object-group huawei2_VPNout
Huawei end should have the following (with all objects included as configured on the ASA end):
access-list extended permit ip object-group huawei2_VPNout object-group huawei2_VPNin
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :