Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Tunnel UP but no traffic.

Hi,

I currently have a VPN connection between a Cisco ASA 5505 and Cisco 3825.  Both Phase one and Phase two complete successfully but I'm unable to ping the remote network.

This is intermittant and often a reboot of the remote ASA will restore the connection.

If anyone is able to suggest some possible solutions to this, I'd be very grateful indeed.

2 REPLIES

Re: VPN Tunnel UP but no traffic.

Hi,

So the tunnel is actually working and passing traffic but traffic stops passing through?

If so and a reboot of the ASA fixes the problem, the tunnel might be getting stucked.

Try implementing ISAKMP keealives on both ends to a low value, so that if the tunnel goes down on one end, it can be reestablished immediatly after sensing interesting traffic.

Federico.

Cisco Employee

Re: VPN Tunnel UP but no traffic.

Hello,

What are the exact symptoms when this problem occurs?  When you are experiencing the issue, please take a look at "show crypto ipsec sa peer x.x.x.x" (where x.x.x.x is the crypto peer address) output to see whether or not the 3825 or the ASA is failing to encrypt traffic anymore.  Issuing the command multiple times will show you whether or not packet encrypt/decrypt counters are increasing.  If we see that one of the counters is not incrementing, we've pinpointed where the problem is occurring.

Since this issue sounds like it's intermittent and a reboot of the ASA fixes the issue, take a look at the following bugs.  They all pertain to the ASA intermittently getting into a state where it duplicates an entry in its crypto classification table.  This causes the ASA to be confused as to which security-association info it needs to use to encrypt traffic to the remote VPN peer.  Ultimately, the symptoms that you'll is the ASA will stop encrypting traffic until a reboot is done.

CSCsh48962 - Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI

CSCso50996 - ASA dropping the packet instead of encrypting it.

CSCsd48512 - Duplicate ASP crypto table entry causes firewall to not encrypt traffic

Please look through the bug notes and see if you can identify whether or not you are hitting this defect.  If so, please make sure you are running a fixed version of code.

Here is a link to Bug Toolkit on CCO to view the bug details.

http://www.cisco.com/cgi-bin/Support/Bugtool/launch_bugtool.pl

-Jeff

3297
Views
0
Helpful
2
Replies