6.7 C
New York
Thursday, November 28, 2024

cisco asa – Troubleshooting ipsec ikev2 website to website vpn


I assume, for peer IP we use, is the wan interface of the Cisco ASA and never the gateway of the ISP right? Additionally, all routes ought to go to the identical IP of the wan interface right?

So we’ve two Cisco ASA 5500 sequence and a pair of ISPs linked for redundancy. We wish to route the site visitors to undergo our ISP2. However the issue I haven’t got expertise in is that this ISP doesn’t route our static IPs for us. Now we have a block of static IPs dealing with the general public, and need to have a router which factors all of the site visitors to our router/gateway which factors all of the site visitors to the ISP.

Establishing the positioning to website VPN, I’ve set as much as exit the ISP2 interface which has an assigned static ip on our ASA however can not seem to get issues working. Proper now, all site visitors has a static rule to ship all site visitors to the ISP gateway on the router on the edge going to the hand off.

Configs of each websites ASA are beneath and the present crypto ipsec sa and hint routes. Normally the primary hint route fails, undecided if that is regular? Second time often at all times works and we may see the session begin up within the ASDM session profile. Nevertheless, cannot ping between networks. Concepts?

Web site A

 ---------------------------------------------------- 
Objects
 ---------------------------------------------------- 
object community DataSeg13  subnet 10.113.0.0 255.255.0.0 
object community
 SiteBRemote10.1.10.0Network subnet 10.1.10.0 255.255.255.248
 
 
 
 
 ---------------------------------------------------- 
Outline IKEv2 Coverage:
 ---------------------------------------------------- 
crypto ikev2 coverage 1  encryption aes-256  integrity sha  group 5 2  prf sha 
 lifetime seconds 86400 crypto ikev2 allow ISP_2_WANInterface
 
 
 ---------------------------------------------------- 
Outline IPsec Remodel Set:
 ---------------------------------------------------- 
crypto ipsec ikev2 ipsec-proposal AES256  protocol esp encryption aes-256  protocol
 esp integrity sha-1 md5
 
 
 ---------------------------------------------------- 
Create Tunnel Group:
 ---------------------------------------------------- 
tunnel-group [SITE B PUBLIC WAN IP] kind ipsec-l2l tunnel-group [SITE B PUBLIC WAN
 IP] general-attributes  default-group-policy GroupPolicy_[SITE B
 PUBLIC WAN IP] tunnel-group [SITE B PUBLIC WAN IP] ipsec-attributes
 ikev2 remote-authentication pre-shared-key ***** ikev2
 local-authentication pre-shared-key *****
 
 
 
 
 
 
 
 ---------------------------------------------------- 
Configure Crypto Map:
 ---------------------------------------------------- 
crypto map ISP_2_WANInterface_map 3 match handle ISP_2_WANInterface_cryptomap
 crypto map ISP_2_WANInterface_map 3 set peer [SITE B PUBLIC WAN IP]
 crypto map ISP_2_WANInterface_map 3 set ikev2 ipsec-proposal AES256
 AES192 AES 3DES DES crypto map ISP_2_WANInterface_map interface
 ISP_2_WANInterface
 
 crypto map ISP_2_WANInterface_map 3 set ikev1 transform-set
 ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
 ESP-DES-MD5
 
 
 
 
 
 ---------------------------------------------------- 
Outline Entry Listing for VPN Site visitors:
 ---------------------------------------------------- 
access-list ISP_2_WANInterface_cryptomap prolonged allow ip object DataSeg13
 object SiteBRemote10.1.10.0Network 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 ---------------------------------------------------- 
Static Route and Static Path to Direct VPN Site visitors to ISP2:
 ---------------------------------------------------- 
route ISP_2_WANInterface 0.0.0.0 0.0.0.0 [SITE A WAN IP OF THE GATEWAY] 5
 route ISP_2_WANInterface 10.1.10.0 255.255.255.248 [SITE A WAN IP OF
 THE GATEWAY] 1

Web site B

----------------------------------------------------
Objects
----------------------------------------------------
object community 10.113.0.0-network subnet 10.113.0.0 255.255.0.0







----------------------------------------------------
Outline IKEv2 Coverage
----------------------------------------------------
crypto ikev2 coverage 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
 crypto ikev2 allow exterior


----------------------------------------------------
Outline IPsec Remodel Set
----------------------------------------------------
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5


----------------------------------------------------
Create Tunnel Group
----------------------------------------------------
tunnel-group [SITE A PUBLIC WAN IP] kind ipsec-l2l
tunnel-group [SITE A PUBLIC WAN IP] general-attributes
 default-group-policy GroupPolicy_[SITE A PUBLIC WAN IP]
tunnel-group [SITE A PUBLIC WAN IP] ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****







----------------------------------------------------

Configure Crypto Map
----------------------------------------------------

crypto map outside_map 3 match handle outside_cryptomap_2
crypto map outside_map 3 set peer [SITE A PUBLIC WAN IP]
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface exterior




----------------------------------------------------
Outline Entry Listing for VPN Site visitors
----------------------------------------------------
access-list outside_cryptomap prolonged allow ip 10.1.10.0 255.255.255.248 object 10.113.0.0-network 
access-list outside_cryptomap_1 prolonged allow ip 10.1.10.0 255.255.255.0 object 10.113.0.0-network 
access-list outside_cryptomap_2 prolonged allow ip 10.1.10.0 255.255.255.0 object 10.113.0.0-network 
access-list SITE_A_OFFICE_ACCESS prolonged deny ip 10.113.0.0 255.255.255.0 host 10.1.10.1 log 
access-list SITE_A_OFFICE_ACCESS prolonged allow ip 10.113.0.0 255.255.0.0 10.1.10.0 255.255.255.248 log 



----------------------------------------------------
Static Route and Static Path to Direct VPN Site visitors to ISP1:
----------------------------------------------------
route exterior 0.0.0.0 0.0.0.0 [SITE B WAN IP OF THE GATEWAY] 1

SHOW LOGS

ASA-1/pri/act# present crypto ipsec sa
Doesn’t present the lively vpn connection

ASA-1/pri/act# packet-tracer enter inside tcp 10.113.1.11 500 10.1.10.$

Part: 1
Sort: ACCESS-LIST
Subtype: 
Outcome: ALLOW
Config:
Implicit Rule
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f842969c270, precedence=1, area=allow, deny=false
        hits=4040842493, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, masks=0000.0000.0000
        dst mac=0000.0000.0000, masks=0100.0000.0000
        input_ifc=inside, output_ifc=any

Part: 2
Sort: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Outcome: ALLOW
Config:
Further Info:
discovered next-hop [SITE A WAN IP OF THE GATEWAY] utilizing egress ifc  ISP_2_WANInterface

Part: 3
Sort: UN-NAT
Subtype: static
Outcome: ALLOW 
Config:       
nat (inside,ISP_2_WANInterface) supply static DataSeg13 DataSeg13 vacation spot static SiteBRemote10.1.10.0NetworkNetwork SiteBRemote10.1.10.0NetworkNetwork no-proxy-arp route-lookup
Further Info:
NAT divert to egress interface ISP_2_WANInterface
Untranslate 10.1.10.1/500 to 10.1.10.1/500
              
Part: 4      
Sort: ACCESS-LIST
Subtype: log  
Outcome: ALLOW 
Config:       
access-group inside_access_in in interface inside
access-list inside_access_in prolonged allow ip any any 
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f8429682c10, precedence=13, area=allow, deny=false
        hits=51084378, user_data=0x7f841ed55ec0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any
              
Part: 5      
Sort: CONN-SETTINGS
Subtype:      
Outcome: ALLOW 
Config:       
class-map class-default
 match any    
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy world
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f842aa194d0, precedence=7, area=conn-set, deny=false
        hits=56857924, user_data=0x7f842aa15340, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any
              
Part: 6      
Sort: NAT     
Subtype:      
Outcome: ALLOW 
Config:       
nat (inside,ISP_2_WANInterface) supply static DataSeg13 DataSeg13 vacation spot static SiteBRemote10.1.10.0NetworkNetwork SiteBRemote10.1.10.0NetworkNetwork no-proxy-arp route-lookup
Further Info:
Static translate 10.113.1.11/500 to 10.113.1.11/500
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f842758d3a0, precedence=6, area=nat, deny=false
        hits=14, user_data=0x7f8429e166d0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=DataSeg13, masks=255.255.0.0, port=0, tag=any
        dst ip/id=10.1.10.0, masks=255.255.255.248, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=ISP_2_WANInterface
              
Part: 7      
Sort: NAT     
Subtype: per-session
Outcome: ALLOW 
Config:       
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f84288c6380, precedence=0, area=nat-per-session, deny=false
        hits=110098636, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any
              
Part: 8      
Sort: IP-OPTIONS
Subtype:      
Outcome: ALLOW 
Config:       
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f84296a38b0, precedence=0, area=inspect-ip-options, deny=true
        hits=68976842, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any
              
Part: 9      
Sort: SFR     
Subtype:      
Outcome: ALLOW 
Config:       
class-map sfr 
 match access-list sfr_redirect
policy-map global_policy
 class sfr    
  sfr fail-open monitor-only
service-policy global_policy world
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f842b2e5d40, precedence=71, area=sfr, deny=false
        hits=70517966, user_data=0x7f842abc8bd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any
              
Part: 10     
Sort: FOVER   
Subtype: standby-update
Outcome: ALLOW 
Config:       
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f8429a56720, precedence=20, area=lu, deny=false
        hits=46497807, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any
              
Part: 11     
Sort: VPN     
Subtype: encrypt
Outcome: DROP  
Config:       
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 out id=0x7f842a925010, precedence=70, area=encrypt, deny=false
        hits=11, user_data=0x0, cs_id=0x7f842a8beb40, reverse, flags=0x0, protocol=0
        src ip/id=DataSeg13, masks=255.255.0.0, port=0, tag=any
        dst ip/id=10.1.10.0, masks=255.255.255.248, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=ISP_2_WANInterface
              
Outcome:       
input-interface: inside
input-status: up
input-line-status: up
output-interface: ISP_2_WANInterface
output-status: up
output-line-status: up
Motion: drop  
Drop-reason: (acl-drop) Circulation is denied by configured rule
              

—------------------------------------------
TRIED AGAIN SAME THING
—------------------------------------------

ASA-1/pri/act# 
ASA-1/pri/act# packet-tracer enter inside tcp 10.113.1.11 500 10.1.10.$

Part: 1
Sort: ACCESS-LIST
Subtype: 
Outcome: ALLOW
Config:
Implicit Rule
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f842969c270, precedence=1, area=allow, deny=false
        hits=4041271514, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, masks=0000.0000.0000
        dst mac=0000.0000.0000, masks=0100.0000.0000
        input_ifc=inside, output_ifc=any

Part: 2
Sort: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Outcome: ALLOW
Config:
Further Info:
discovered next-hop [SITE A WAN IP OF THE GATEWAY] utilizing egress ifc  ISP_2_WANInterface

Part: 3
Sort: UN-NAT
Subtype: static
Outcome: ALLOW 
Config:       
nat (inside,ISP_2_WANInterface) supply static DataSeg13 DataSeg13 vacation spot static SiteBRemote10.1.10.0NetworkNetwork SiteBRemote10.1.10.0NetworkNetwork no-proxy-arp route-lookup
Further Info:
NAT divert to egress interface ISP_2_WANInterface
Untranslate 10.1.10.1/500 to 10.1.10.1/500

Part: 4
Sort: ACCESS-LIST
Subtype: log
Outcome: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in prolonged allow ip any any 
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f8429682c10, precedence=13, area=allow, deny=false
        hits=51088859, user_data=0x7f841ed55ec0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Part: 5
Sort: CONN-SETTINGS
Subtype: 
Outcome: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy world
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f842aa194d0, precedence=7, area=conn-set, deny=false
        hits=56862405, user_data=0x7f842aa15340, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Part: 6
Sort: NAT
Subtype: 
Outcome: ALLOW
Config:
nat (inside,ISP_2_WANInterface) supply static DataSeg13 DataSeg13 vacation spot static SiteBRemote10.1.10.0NetworkNetwork SiteBRemote10.1.10.0NetworkNetwork no-proxy-arp route-lookup
Further Info:
Static translate 10.113.1.11/500 to 10.113.1.11/500
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f842758d3a0, precedence=6, area=nat, deny=false
        hits=15, user_data=0x7f8429e166d0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=DataSeg13, masks=255.255.0.0, port=0, tag=any
        dst ip/id=10.1.10.0, masks=255.255.255.248, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=ISP_2_WANInterface

Part: 7
Sort: NAT
Subtype: per-session
Outcome: ALLOW
Config:
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f84288c6380, precedence=0, area=nat-per-session, deny=false
        hits=110106939, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Part: 8
Sort: IP-OPTIONS
Subtype: 
Outcome: ALLOW
Config:
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f84296a38b0, precedence=0, area=inspect-ip-options, deny=true
        hits=68982554, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any
              
Part: 9      
Sort: SFR     
Subtype:      
Outcome: ALLOW 
Config:       
class-map sfr 
 match access-list sfr_redirect
policy-map global_policy
 class sfr    
  sfr fail-open monitor-only
service-policy global_policy world
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f842b2e5d40, precedence=71, area=sfr, deny=false
        hits=70522700, user_data=0x7f842abc8bd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any
              
Part: 10     
Sort: FOVER   
Subtype: standby-update
Outcome: ALLOW 
Config:       
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 in  id=0x7f8429a56720, precedence=20, area=lu, deny=false
        hits=46500984, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=any

Part: 11
Sort: VPN
Subtype: encrypt
Outcome: ALLOW
Config:
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 out id=0x7f842ca06180, precedence=70, area=encrypt, deny=false
        hits=1, user_data=0x578216c, cs_id=0x7f842a8beb40, reverse, flags=0x0, protocol=0
        src ip/id=DataSeg13, masks=255.255.0.0, port=0, tag=any
        dst ip/id=10.1.10.0, masks=255.255.255.248, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=ISP_2_WANInterface

Part: 12
Sort: NAT
Subtype: rpf-check
Outcome: ALLOW
Config:
nat (inside,ISP_2_WANInterface) supply static DataSeg13 DataSeg13 vacation spot static SiteBRemote10.1.10.0NetworkNetwork SiteBRemote10.1.10.0NetworkNetwork no-proxy-arp route-lookup
Further Info:
 Ahead Circulation based mostly lookup yields rule:
 out id=0x7f842e137ac0, precedence=6, area=nat-reverse, deny=false
        hits=15, user_data=0x7f8429e1a5a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=DataSeg13, masks=255.255.0.0, port=0, tag=any
        dst ip/id=10.1.10.0, masks=255.255.255.248, port=0, tag=any, dscp=0x0
        input_ifc=inside, output_ifc=ISP_2_WANInterface

Part: 13
Sort: VPN
Subtype: ipsec-tunnel-flow
Outcome: ALLOW
Config:
Further Info:
 Reverse Circulation based mostly lookup yields rule:
 in  id=0x7f842c94a2a0, precedence=70, area=ipsec-tunnel-flow, deny=false
        hits=1, user_data=0x5784a2c, cs_id=0x7f842a8beb40, reverse, flags=0x0, protocol=0
        src ip/id=10.1.10.0, masks=255.255.255.248, port=0, tag=any
        dst ip/id=DataSeg13, masks=255.255.0.0, port=0, tag=any, dscp=0x0
        input_ifc=ISP_2_WANInterface, output_ifc=any

Part: 14
Sort: NAT
Subtype: per-session
Outcome: ALLOW
Config:
Further Info:
 Reverse Circulation based mostly lookup yields rule:
 in  id=0x7f84288c6380, precedence=0, area=nat-per-session, deny=false
        hits=110106941, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Part: 15
Sort: IP-OPTIONS
Subtype: 
Outcome: ALLOW
Config:
Further Info:
 Reverse Circulation based mostly lookup yields rule:
 in  id=0x7f842963f140, precedence=0, area=inspect-ip-options, deny=true
        hits=9583840, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=ISP_2_WANInterface, output_ifc=any

Part: 16     
Sort: FLOW-CREATION
Subtype: 
Outcome: ALLOW
Config:
Further Info:
New circulation created with id 77534832, packet dispatched to subsequent module
Module info for ahead circulation ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_sfr
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module info for reverse circulation ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_tcp_normalizer
snp_fp_translate
snp_sfr
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Outcome:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ISP_2_WANInterface
output-status: up
output-line-status: up
Motion: enable

Present ipsec sa outcomes after doing the packet tracer, the VPN session reveals in present ipsec sa. However not information, and can’t ping any units over there.

interface: ISP_2_WANInterface
    Crypto map tag: ISP_2_WANInterface_map, seq num: 3, native addr: [IP of WAN INTERFACE OF ASA_ISP2]

      access-list ISP_2_WANInterface_cryptomap prolonged allow ip 10.113.0.0 255.255.0.0 10.1.10.0 255.255.255.248 
      native ident (addr/masks/prot/port): (DataSeg13/255.255.0.0/0/0)
      distant ident (addr/masks/prot/port): (10.1.10.0/255.255.255.248/0/0)
      current_peer: [SITE B PUBLIC WAN IP]


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts confirm: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs despatched: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC despatched: 0
      #Legitimate ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #ship errors: 0, #recv errors: 0

      native crypto endpt.: [IP of WAN INTERFACE OF ASA_ISP2]/500, distant crypto endpt.: [SITE B PUBLIC WAN IP]/500
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF coverage: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      present outbound spi: C00A8628
      present inbound spi : 30B4CF8E

    inbound esp sas:
      spi: 0x30B4CF8E (817155982)
         SA State: lively
         remodel: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 247746560, crypto-map: ISP_2_WANInterface_map
         sa timing: remaining key lifetime (kB/sec): (4147200/28771)
         IV dimension: 16 bytes
         replay detection assist: Y
         Anti replay bitmap: 
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xC00A8628 (3221915176)
         SA State: lively
         remodel: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 247746560, crypto-map: ISP_2_WANInterface_map
         sa timing: remaining key lifetime (kB/sec): (4008960/28771)
         IV dimension: 16 bytes
         replay detection assist: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles