Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Troubleshoot ipsec?

We have an ispec tunnel established but it's not passing traffic. I can only see my end and everything appears fine.

When I run a "sh crypto ipsec sa peer x.x.x.x" I can see that packets are getting encapsulated but none are getting decapsulated.

Running packet tracer also shows that my traffic is allowed.

How can I tell for certain that the issue is at the other end of the tunnel?

1 ACCEPTED SOLUTION

Accepted Solutions

Hi Louis, If you see your end

Hi Louis,

 

If you see your end is encapsulating... then packets from your end gets in to tunnel and going out with encapsulated.... other end FW/VPN device should receive it and decapsulate the same to send out the traffic to the destination.... this is for one way about the traffic... the return packet or response packet will encapsulate it again and send it to us, which will get decapsulate and go to the requestor......

Here you need to check on the other firewall end and see if it gets decapsulated and encapsulated back in that way.... for that you may need to check the routing for the remote lan in the remote peer, NAT rules and ipsec policies matches etc.....

 

run a debug crypto ipsec 128 at your end to see if that gives any idea.....

 

If you do all these step by step... definitely you can sort out the issue....

 

Regards

Karthik

 

4 REPLIES
Hall of Fame Super Silver

Th symptom you describe

Th symptom you describe (encaps without decaps) is most often the distant end not sending the traffic back into the tunnel (internal routing or potentially lack of NAT exemption at their end).

Without having them check, the only thing you can do is show them your end's output like you just described here.

Community Member

I'd like to think that too.

I'd like to think that too. Problem is, I recently had an issue with another ASA which was reporting the same.

In the end, I gave up and tore the config down and when I started from fresh, the ipsec tunnel came up straight away and passed traffic. Still don't have an idea what the issue was as I didn't expect the tunnel to come up so quickly. But the point is, it too was showing encaps but no decaps and resetting at my end cured the issue without any change at the remote end.

Hi Louis, If you see your end

Hi Louis,

 

If you see your end is encapsulating... then packets from your end gets in to tunnel and going out with encapsulated.... other end FW/VPN device should receive it and decapsulate the same to send out the traffic to the destination.... this is for one way about the traffic... the return packet or response packet will encapsulate it again and send it to us, which will get decapsulate and go to the requestor......

Here you need to check on the other firewall end and see if it gets decapsulated and encapsulated back in that way.... for that you may need to check the routing for the remote lan in the remote peer, NAT rules and ipsec policies matches etc.....

 

run a debug crypto ipsec 128 at your end to see if that gives any idea.....

 

If you do all these step by step... definitely you can sort out the issue....

 

Regards

Karthik

 

Community Member

It was indeed an access rule

It was indeed an access rule at their end that was blocking the traffic.

Thanks for your time.

79
Views
0
Helpful
4
Replies
CreatePlease to create content