vpn router question
marcusaureliusbrutus
Member Posts: 73 ■■□□□□□□□□
in CCNP
Hi. Given the below output from show crypto session detail:
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 host 10.1.1.1
Outbound: #pkts enc'ed 0 drop 1293 life (KB/Sec) 0/0
If encr'ed is 0 does that mean that packets from 10.10.10.0/24 subnet is not being encrypted and instead dropped? If so, was it dropped by my router or my peer's router? I have a similar output but the enc'ed increments as i ping from a host from 10.10.10.0 to a different host and the drop output remains unchanged but i don't get any ping replies from the destination host. I am now confused how to determine whether my packets are being encrypted but rejected by my peer router.
I would appreciate any help on this.
Thanks in advance.
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 host 10.1.1.1
Outbound: #pkts enc'ed 0 drop 1293 life (KB/Sec) 0/0
If encr'ed is 0 does that mean that packets from 10.10.10.0/24 subnet is not being encrypted and instead dropped? If so, was it dropped by my router or my peer's router? I have a similar output but the enc'ed increments as i ping from a host from 10.10.10.0 to a different host and the drop output remains unchanged but i don't get any ping replies from the destination host. I am now confused how to determine whether my packets are being encrypted but rejected by my peer router.
I would appreciate any help on this.
Thanks in advance.
Comments
-
bighornsheep Member Posts: 1,506Follow the steps for IPSec tunnel in your troubleshooting...
- Is Phase-1 established? (show crypto isakmp sa)
- If not, are the isakmp policies matching (authentication, encryption, DH group, hashing)?
- If isakmp policy is matching, is the peer defined with the proper authentication method? (ie. crypto isakmp key <key> address <ip addr> no-xauth)
- If the peer definition is done properly, do you have a symmetrically mirrored access-list? (ie. permit ip 10.10.10.0 0.0.0.255 host 10.1.1.1; permit ip host 10.1.1.1 10.10.10.0 0.0.0.255)
- Is the phase-2 IPSec transform defined matching on both sides? (ie. crypto ipsec transform-set <transform name> <encryption transform> <hashing transform>)
- Are the above tied properly to a crypto map?
Jack of all trades, master of none -
mzinz Member Posts: 328If no packets are being encrypted by the router on that IPSEC SA, then no traffic is being sent over the tunnel.
Likely, this is because the traffic sent isn't considered interesting.
Whenever I see this, first thing I do is check my ACL's to verify that my interesting traffic is properly defined.
How were you sending the traffic? From a host in the defined subnet, or from the router itself? If you're sending traffic from the router itself to test, make sure to do "ping X.X.X.X source <int>" where the defined interface is the one considered interesting._______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801 -
dtlokee Member Posts: 2,378 ■■■■□□□□□□The drops are occuring on the router with the incrementing "drop" counter. I agree with Bighornsheep that it seems you are missing something or have misconfigured something on the side dropping the packets (I would guess the peer IP address). Does the router show that it has "decaps" from the peer?
Like jonny 5 said, "need input"The only easy day was yesterday!