I've been trying the following scenario at my LAB, the VPN is UP and i see the logs on peer A but no log or reply from peer B.
Configs:
Peer A
ID From To Src-address Dst-address Service Action State
11 Trust Untrust 192.168.3.0~ 192.168.10.~ PING Tunnel enabled
192.168.2.0~
Peer B
ID From To Src-address Dst-address Service Action State
4 Untrust Trust 192.168.3.0~ 192.168.10.~ PING Tunnel enabled
192.168.2.0~
get sa (Peer A)
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000007< BBBBBBBBBBB 500 esp:a128/sha1 8fb8ba70 2653 unlim A/- -1 0
00000007> BBBBBBBBBBB 500 esp:a128/sha1 92f9d192 2653 unlim A/- 11 0
(peer B)
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000017< AAAAAAAAAAAAAA 500 esp:a128/sha1 92f9d192 2526 unlim A/- -1 0
00000017> AAAAAAAAAAAAAA 500 esp:a128/sha1 8fb8ba70 2526 unlim A/- 3 0
get db str (Peer A)
****** 1450076.0: <Trust/ethernet0/1> packet received [60]******
ipid = 20687(50cf), @03988770
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/1:192.168.3.2/50440->192.168.2.2/768,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/1>, out <N/A>
[ Dest] 12.route 192.168.3.2->0.0.0.0, to ethernet0/1
chose interface ethernet0/1 as incoming nat if.
flow_first_routing: in <ethernet0/1>, out <N/A>
search route to (ethernet0/1, 192.168.3.2->192.168.2.2) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 11.route 192.168.2.2->GWAAAAAAAA, to ethernet0/0
routed (x_dst_ip 192.168.2.2) from ethernet0/1 (ethernet0/1 in 0) to ethernet0/0
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.2.2, port 34131, proto 1)
No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 11/0/0x49
Permitted by policy 11
No src xlate choose interface ethernet0/0 as outgoing phy if
no loop on ifp ethernet0/0.
session application type 0, name None, nas_id 0, timeout 60sec
service lookup identified service 0.
flow_first_final_check: in <ethernet0/1>, out <ethernet0/0>
existing vector list 5-4ff6134.
Session (id:8045) created for first pak 5
flow_first_install_session======>
handle cleartext reverse route
search route to (ethernet0/0, 192.168.2.2->192.168.3.2) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/1
[ Dest] 12.route 192.168.3.2->192.168.3.2, to ethernet0/1
route to 192.168.3.2
arp entry found for 192.168.3.2
ifp2 ethernet0/1, out_ifp ethernet0/1, flag 00800801, tunnel ffffffff, rc 1
flow got session.
flow session id 8045
flow_main_body_vector in ifp ethernet0/1 out ifp ethernet0/0
flow vector index 0x5, vector addr 0x20b7680, orig vector 0x20b7680
post addr xlation: 192.168.3.2->192.168.2.2.
going into tunnel 40000007.
flow_encrypt: pipeline.
chip info: PIO. Tunnel id 00000007
(vn2) doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
put packet(3c33030) into flush queue.
remove packet(3c33030) out from flush queue.
**** jump to packet:AAAAAAAAAAAA->BBBBBBBBBBBBBBB
packet encapsulated, type=ipsec, len=120
ipid = 42890(a78a), @03988744
out encryption tunnel 40000007 gw:BBBBBBBBBBBBB
no more encapping needed
send out through normal path.
flow_ip_send: a78a:AAAAAAAAAAAAAA->BBBBBBBBBBB,50 => ethernet0/0(120) flag 0x20, vlan 0
mac 0019e2e3dfc0 in session
packet send out to 0019e2e3dfc0 through ethernet0/0
**** pak processing end.
(peer B)
****** 917489.0: <Untrust/ethernet0/0> packet received [120]******
ipid = 42890(a78a), @0387b270
packet passed sanity check.
flow_decap_vector IPv4 process
ethernet0/0:AAAAAAAAAAAAA/37625->BBBBBBBBBBBB/53650,50<Root>
existing session found. sess token 4
flow got session.
flow session id 8055
flow_decrypt: 33ca708(b), flow_decrypt: 33ca708(b)pipeline.
IPv4 encrypted pak.
Dec: SPI = 92f9d192, Data Len = 120
SA tunnel id=0x00000017, flag<02400063>
chip info: PIO. Tunnel id 00000017
ipsec decrypt prepare done
ipsec decrypt set engine done
auth check pass!
ipsec decrypt engine released
packet is decrypted
ipsec decrypt done
put packet(3c33030) into flush queue.
remove packet(3c33030) out from flush queue.
**** jump to packet:192.168.3.2->192.168.2.2
flow_decap_vector IPv4 process
packet decapsulated, type=ipsec, len=60
ipid = 20687(50cf), @0387b270
ethernet0/0:192.168.3.2/50440->192.168.2.2/768,1(8/0)<Root>
no session found
flow_first_sanity_check: in <ethernet0/0>, out <N/A>
flow_first_routing: in <ethernet0/0>, out <N/A>
search route to (ethernet0/0, 192.168.3.2->192.168.2.2) in vr trust-vr for vsd-0/flag-0/ifp-null
[ Dest] 10.route 192.168.2.2->192.168.2.2, to ethernet0/1
routed (x_dst_ip 192.168.2.2) from ethernet0/0 (ethernet0/0 in 0) to ethernet0/1
policy search from zone 1-> zone 2
policy_flow_search policy search nat_crt from zone 1-> zone 2
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 192.168.2.2, port 34131, proto 1)
policy_flow_search in tunnel
VPN policy= -99: szone 1 dzone 2 pid -99 ports 8008553 iphdr 387b270
**** pak processing end.
Anyone has a clue ?
Thanks in advance,
Michel
#policy#screenos#vpn