fir3net
PPS-Firenetbanner-780.5x190-30-03-17

ASA - VPN Traffic is not being encrypted (CSCsd48512)

Issue

Traffic is sent out from the ASA unencrypted.

Cause

This can be caused by a duplicate (stale) ASP crypto table entry, this prevents the ASA encrypting any traffic destined for the remote host.
There are 2 commands which shows this behaviour. They are,

Interface outside:
!
out id=0xd616fff0, priority=70, domain=encrypt, deny=false
        hits=855899, user_data=0x473ccf4, cs_id=0xd5deba08, reverse, flags=0x0, protocol=0
        src ip=192.168.100.0, mask=255.255.255.0, port=0
        dst ip=172.16.1.0, mask=255.255.255.0, port=0, dscp=0x0

out id=0xd1592dd0, priority=70, domain=encrypt, deny=false
        hits=0, user_data=0x4bed13c, cs_id=0xd5deba08, reverse, flags=0x0, protocol=0
        src ip=192.168.100.0, mask=255.255.255.0, port=0
        dst ip=172.16.1.0, mask=255.255.255.0, port=0, dscp=0x0

Note : Details of this bug can also be viewed within CSCsd48512 (Duplicate ASP crypto table entry causes firewall to not encrypt traffic)

Solution

There are 2 solutions to this issue,

  1. Reboot the firewall.
  2. Upgrade the firewall to a version 7.0(4.13), 7.2(0.46), 7.1(2.1), 7.0(5), 7.2(1) or 8.0(0.1).

Additional References

CSCsh48962 - Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI.
CSCso50996 - ASA dropping the packet instead of encrypting it.

Tags: ASA, Bug, Cisco, VPN

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001