ASA/PIX, IDS, IPS, VPN, Cisco Secure ACS, AAA, ISE.
harry
Member
Posts:
107
Joined:
Wed Dec 10, 2008 6:09 am

vpn tunnel issue

Thu Apr 26, 2012 3:23 am

I have VPN tunnel issue at one of my site. suddenly vpn traffic becomes ureachable where as tunnel are up. After resetting tunnels it start working fine. VPN device is cisco ASA,

Thanx

User avatar
ristau5741
Post Whore
Posts:
10451
Joined:
Tue Aug 21, 2007 2:15 pm
Certs:
Instanity

Re: vpn tunnel issue

Thu Apr 26, 2012 7:35 am

what do the logs say ?
Tips of the day:
- The human mind is the ultimate creation invention.
- I have so many customers, my customers have customers.
- Sausage time
- POP, stack, and store

User avatar
Dan-
Senior Member
Posts:
401
Joined:
Mon Feb 14, 2011 10:28 pm
Certs:
CCNA

Re: vpn tunnel issue

Thu Apr 26, 2012 10:14 am

debug crypto isakmp
debug crypto ipsec

Version of asa code?
How is your nat0 (no-nat) configuration?

harry
Member
Posts:
107
Joined:
Wed Dec 10, 2008 6:09 am

Re: vpn tunnel issue

Fri Apr 27, 2012 2:25 am

hi asa version is 8.4. & static exempt natting is configured.

harry
Member
Posts:
107
Joined:
Wed Dec 10, 2008 6:09 am

Re: vpn tunnel issue

Fri Apr 27, 2012 3:08 am

below is the output of sh crypto ipsec sa .....


Crypto map tag: ABC, seq num: 1, local addr: X.X.X.X

access-list ABC-vpn extended permit ip 10.81.X.X 255.255.255.0 172.X.X.X 255.240.0.0
local ident (addr/mask/prot/port): (10.81.x.x/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.x.x.x/255.240.0.0/0/0)
current_peer: x.x.x.x

#pkts encaps: 67490, #pkts encrypt: 67532, #pkts digest: 67532
#pkts decaps: 68288, #pkts decrypt: 68288, #pkts verify: 68288
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 67490, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 42, #pre-frag failures: 0, #fragments created: 84
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 99
#send errors: 0, #recv errors: 0

local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 105EA463
current inbound spi : FD3B37FC

inbound esp sas:
spi: 0xFD3B37FC (4248516604)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 466944, crypto-map: ABC
sa timing: remaining key lifetime (sec): 3404
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x105EA463 (274637923)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 466944, crypto-map: ABC
sa timing: remaining key lifetime (sec): 3403
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

harry
Member
Posts:
107
Joined:
Wed Dec 10, 2008 6:09 am

Re: vpn tunnel issue

Mon May 14, 2012 6:23 am

hi this quite serious issue and I tried my everything to resolve it.now expert solution is required. so experts come forward and provide the solutions.

Thank,

'

Return to Cisco Security

Who is online

Users browsing this forum: Exabot [Bot], Google [Bot] and 31 guests