Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Site to Site VPN up but no Traffic 2 asa 5505s

I am trying to set up a site to site vpn between two ASA 5505 -- one is version 8.2 and the other is version 9.2. The vpn is established but there is no traffic passing through. All packet trace tests have been successful. I've been thrashing around a bit and i'm sure have made some unnecessary changes but nothing has changed -- still up but no traffic. Below are my configs. Please someone have mercy on my soul and help me escape this purgatory.

 

ASA version 9.2

Result of the command: "sh running-conf"

: Saved

: Serial Number: JMX162440SM
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(2)4 
!
hostname asat
enable password *encrypted
passwd * encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.50.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address AA.AA.AA.AA 255.255.255.0 
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network obj-192.168.0.0
 subnet 192.168.0.0 255.255.255.0
object network obj-192.168.50.0
 subnet 192.168.50.0 255.255.255.0
object network NETWORK_OBJ_192.168.0.0_24
 subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.50.0_24
 subnet 192.168.50.0 255.255.255.0
access-list 100 extended permit ip any any 
access-list 100 extended deny ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0 inactive 
access-list outside_1_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0 
access-list inside_access_in extended deny ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0 inactive 
access-list inside_access_in extended permit ip any any 
access-list global_access extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0 inactive 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-722.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static obj-192.168.50.0 obj-192.168.50.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
access-group inside_access_in in interface inside
access-group 100 in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 AG.AT.EW.AY 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.50.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer BB.BB.BB.BB 
crypto map outside_map 1 set ikev1 transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp identity address 
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption des
 hash sha
 group 5
 lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
tunnel-group BB.BB.BB.BB type ipsec-l2l
tunnel-group BB.BB.BB.BB ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map global-policy
 class inspection_default
  inspect ipsec-pass-thru 
!
service-policy global-policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:7fc0224b98458f65b15b592946d28349
: end

ASA 8.2

Result of the command: "sh running-conf"

: Saved
:
ASA Version 8.2(5) 
!
hostname VASA
enable password * encrypted
passwd * encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address BB.BB.BB.BB 255.255.255.240 
!
ftp mode passive
access-list inside_access_in extended permit icmp any any 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit tcp any any eq 3389 
access-list inside_access_in extended permit tcp any any eq smtp 
access-list inside_access_in extended permit tcp any any eq https 
access-list inside_access_in extended deny ip host 151.248.99.196 any 
access-list inside_access_in extended permit tcp any any range 10000 10023 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit tcp any interface outside range 10000 10023 
access-list outside_access_in extended permit tcp any any eq 3389 inactive 
access-list inside_access_in_1 extended permit tcp host 192.168.0.3 eq telnet any eq telnet 
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0 log debugging 
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0 
access-list outside_1_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0 
pager lines 24
logging enable
logging history alerts
logging asdm debugging
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.0.0 255.255.255.0
static (inside,outside) tcp interface 10000 192.168.0.5 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 10001 192.168.0.17 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 10002 192.168.0.200 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 10003 192.168.0.16 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 10004 192.168.0.19 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 10005 192.168.0.10 10005 netmask 255.255.255.255 
static (inside,outside) tcp interface 10006 192.168.0.11 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 10007 192.168.0.122 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 10008 192.168.0.13 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 10009 192.168.0.14 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 10010 192.168.0.15 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 10011 192.168.0.252 10011 netmask 255.255.255.255 
static (inside,outside) tcp interface 10012 192.168.0.251 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 10020 192.168.0.150 3389 netmask 255.255.255.255 
static (inside,outside) tcp interface 10023 192.168.0.3 3389 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 BG.AT.EW.AY 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.0.0 255.255.255.0 inside
snmp-server host inside 192.168.0.2 community ***** udp-port 161
snmp-server location VHR Server room
snmp-server contact Terregen
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set peer AA.AA.AA.AA 
crypto map outside_map 1 set transform-set ESP-DES-SHA ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp identity address 
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 5
 lifetime none
telnet 192.168.0.3 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0
management-access inside
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol IPSec l2tp-ipsec 
tunnel-group AA.AA.AA.AA type ipsec-l2l
tunnel-group AA.AA.AA.AA ipsec-attributes
 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:23312cce53f5772dc2d5c4ba3f432ad9
: end

 

3 REPLIES
Community Member

Your configuration looks good

Your configuration looks good. How are you testing the tunnel. Share the packet-t output from both ends.

Try sending pings from a host behind one of the ASAs and share the output of the packet-tracer and show crypto ipsec sa from both the ASAs after attempting to send the traffic

Community Member

From the 9.2asa:Result of the

From the 9.2asa:

Result of the command: "packet-trace input inside tcp 192.168.50.12 1610 192.168.0.3 3382"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         via AG.AT.EW.AY, outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static obj-192.168.50.0 obj-192.168.50.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.0.3/3382 to 192.168.0.3/3382

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any 
Additional Information:

Phase: 4
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside,outside) source static obj-192.168.50.0 obj-192.168.50.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.50.12/1610 to 192.168.50.12/1610

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static obj-192.168.50.0 obj-192.168.50.0 destination static obj-192.168.0.0 obj-192.168.0.0 no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 854, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

From asa8.2

Result of the command: "packet-trace input inside tcp 192.168.0.3 1610 192.168.50.12 3382"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any 
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT-EXEMPT
Subtype: 
Result: ALLOW
Config:
  match ip inside 192.168.0.0 255.255.255.0 outside 192.168.50.0 255.255.255.0
    NAT exempt
    translate_hits = 4, untranslate_hits = 0
Additional Information:

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface 10023 192.168.0.3 3389 netmask 255.255.255.255 
  match tcp inside host 192.168.0.3 eq 3389 outside any
    static translation to BB.BB.BB.BB/10023
    translate_hits = 2, untranslate_hits = 16
Additional Information:

Phase: 6
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (inside) 1 192.168.0.0 255.255.255.0
  match ip inside 192.168.0.0 255.255.255.0 outside any
    dynamic translation to pool 1 (BB.BB.BB.BB [Interface PAT])
    translate_hits = 283996, untranslate_hits = 14479
Additional Information:

Phase: 7
Type: HOST-LIMIT
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 288087, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

asa8.2 ipsec sa

Result of the command: "sh cry ipsec sa"

interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: BB.BB.BB.BB

      access-list outside_1_cryptomap_1 extended permit ip 192.168.0.0 255.255.255.0 192.168.50.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
      current_peer: AA.AA.AA.AA

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: BB.BB.BB.BB, remote crypto endpt.: AA.AA.AA.AA

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 80692A79
      current inbound spi : 428E481A

    inbound esp sas:
      spi: 0x428E481A (1116620826)
         transform: esp-des esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 126976, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373999/28143)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x0000003F
    outbound esp sas:
      spi: 0x80692A79 (2154375801)
         transform: esp-des esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 126976, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4374000/28143)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

 

9.2asa

Result of the command: "sh cry ipsec sa"

interface: outside
    Crypto map tag: outside_map, seq num: 1, local addr: AA.AA.AA>AA

      access-list outside_1_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
      current_peer: BB.BB.BB.BB


      #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: AA.AA.AA.AA/0, remote crypto endpt.: BB.BB.BB.BB/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 428E481A
      current inbound spi : 80692A79

    inbound esp sas:
      spi: 0x80692A79 (2154375801)
         transform: esp-des esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 53248, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3915000/28109)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x428E481A (1116620826)
         transform: esp-des esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 53248, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28109)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

 

Community Member

The 9.2 ASA is encrypting and

The 9.2 ASA is encrypting and the 8.2 ASA is decrypting and is not encrypting back. The packet tracer on the 8.2 ASA shows that its encryption is fine.

The issue could be because the host that you are trying to ping is not replying back.

Do a capture on the inside interface of the 8.2ASA and try the ping and check the captures and see if there are return packets.

cap capin interface inside match ip host <local host IP> host <remote host ip>

capture is bidirectional.
initiate the ping and check "sho cap capin"

 

335
Views
0
Helpful
3
Replies
CreatePlease to create content