PIX VPN tunnel 0 bytes TX!

Are both IPSec SAs available? It looks like the classic blackhole effect.

Yes, they are available; I have phase 1 and phase 2 completed.

whats the blackhole effect?

thanks

Does "show crypto ipsec sa" report two active SAs?

The data channels of IPSec are on-way, that's why there are at least two. If the receiver side forget the SA, the received data is silently dropped (as required by the standard). There is not way to determine this loss of data than looking on the SAs on both sides.

Usually this effect does not occur, because the control channel (phase 1) is used to inform the other side about the drop of any SA. Unfortunly the control channel is vulnerable to loss of packets ...

hi!

here is the output of the ipsec sa; look at the encapsulation counters as 0; thats the 0 bytes TX. (removed the public peer ip with *.*.*.*):

Crypto map tag: VPNmap, seq num: 130, local addr: EXTMARMEDSA

access-list extranet_cryptomap_130 permit ip 10.0.0.0 255.0.0.0 INTSANTANDER 255.255.0.0 local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0) remote ident (addr/mask/prot/port): (INTSANTANDER/255.255.0.0/0/0) current_peer: 88.2.173.40

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 678, #pkts decrypt: 678, #pkts verify: 678 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #send errors: 0, #recv errors: 0

local crypto endpt.: EXTMARMEDSA, remote crypto endpt.: *.*.*.*

path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: A4D3C26E

inbound esp sas: spi: 0x58F18B77 (1492224887) transform: esp-3des esp-md5-hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 29, crypto-map: VPNmap sa timing: remaining key lifetime (kB/sec): (4274937/24199) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xA4D3C26E (2765341294) transform: esp-3des esp-md5-hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 29, crypto-map: VPNmap sa timing: remaining key lifetime (kB/sec): (4275000/24199) IV size: 8 bytes replay detection support: Y

thank you

Lutz D> > Lutz D> >> Are both IPSec SAs available? It looks like the classic blackhole effect. > >

hi!

here is the output of the ipsec sa; look at the encapsulation counters as 0; thats the 0 bytes TX. (removed the public peer ip with *.*.*.*):

Crypto map tag: VPNmap, seq num: 130, local addr: EXTMARMEDSA

access-list extranet_cryptomap_130 permit ip 10.0.0.0 255.0.0.0 INTSANTANDER 255.255.0.0 local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0) remote ident (addr/mask/prot/port): (INTSANTANDER/255.255.0.0/0/0) current_peer: *.*.*.*

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 678, #pkts decrypt: 678, #pkts verify: 678 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #send errors: 0, #recv errors: 0

local crypto endpt.: EXTMARMEDSA, remote crypto endpt.: *.*.*.*

path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: A4D3C26E

inbound esp sas: spi: 0x58F18B77 (1492224887) transform: esp-3des esp-md5-hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 29, crypto-map: VPNmap sa timing: remaining key lifetime (kB/sec): (4274937/24199) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0xA4D3C26E (2765341294) transform: esp-3des esp-md5-hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 29, crypto-map: VPNmap sa timing: remaining key lifetime (kB/sec): (4275000/24199) IV size: 8 bytes replay detection support: Y

thank you

Lutz D> > Lutz D> >> Are both IPSec SAs available? It looks like the classic blackhole effect. > >

So _now_ you have two SAs.

You have to compare this information -- when the problem occurs -- from your site and from your Spanish peer.

ok!

I've compared them; its seems to be ok.

I've just upgraded to 7.2.1 and ASDM 5.2.1

Now its working OK. Let me check it all this weeking to see how its going.

btw; ver 7.2.1 and asdm 5.2.1 have good new features :)

thanks

Lutz Donnerhacke ha escrito: