[Swan] No Traffic Received On Tunnels

Adam Tauno Williams awilliam at whitemice.org
Wed Jul 10 13:30:40 UTC 2019

On Tue, 2019-07-09 at 16:31 -0400, Paul Wouters wrote:
> On Tue, 9 Jul 2019, Adam Tauno Williams wrote:
> > I have a working ipsec server - let's call it X2.X2.X2.X2 -
> > connected
> > via GRE tunnels to three Cisco 890 series routers.  It works!
> Yes it shows the new site is ipsec. You can run ipsec trafficstatus
> to see byte counters, so if you do a ping (with proper source IP)
> then you can check the outBytes to see if it got encrypted, and
> inBytes to see if it got encrypted replies. Then you can likely
> narrow down the specific issue.

Both tunnel interfaces show outbound (TX) traffic.

I can packet capture ESP packets leaving the server's primary interface
which correspond to the remote endpoint.

Neither appears to receive any traffic to the tunnel interfaces.

EXISTING SITE: 006 #23: "btc-gre", type=ESP, add_time=1562755016, inBytes=1967115, outBytes=5936, id='X.X.X.X'
NEW SITE: 006 #25: "ets-gre", type=ESP, add_time=1562755016, inBytes=0, outBytes=352, id='X.X.X.X'
EXISTING SITE: 006 #37: "try-gre", type=ESP, add_time=1562755081, inBytes=10241181, outBytes=12673250, id='X.X.X.X'
EXISTING SITE: 006 #39: "usd-gre", type=ESP, add_time=1562755087, inBytes=157737014, outBytes=3852240137, id='X.X.X.X'

etsgate>show int tunnel0
Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is
  MTU 17874 bytes, BW 1544 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source X.X.X.X (FastEthernet0), destination Y.Y.Y.Y
   Tunnel Subblocks:
         Tunnel0 source tracking subblock associated with FastEthernet0
          Set of tunnels with source FastEthernet0, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1434 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "branch-ipsec-profile")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 19:29:10
  Input queue: 0/75/0 (size/max/drops); Total output drops: 15
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles 
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     329 packets output, 30731 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

etsgate#show crypto isakmp sa
dst             src             state          conn-id status
X.X.X.X       Z.Z.Z.Z          QM_IDLE           2007 ACTIVE


etsgate#show crypto engine connections active
Crypto Engine Connections

   ID  Type    Algorithm           Encrypt  Decrypt LastSeqN IP-Address
   13  IPsec   AES+SHA                   0        0        0 X.X.X.X
   14  IPsec   AES+SHA                  27        0        0 X.X.X.X
 2007  IKE     SHA+AES256                0        0        0 X.X.X.X

etsgate#show crypto                          

Number of Crypto Socket connections 1

   Tu0 Peers (local/remote): X.X.X.X/Z.Z.Z.Z
       Local Ident  (addr/mask/port/prot): (X.X.X.X/
       Remote Ident (addr/mask/port/prot): (Z.Z.Z.Z/
       IPSec Profile: "branch-ipsec-profile"
       Socket State: Open
       Client: "TUNNEL SEC" (Client State: Active)

Crypto Sockets in Listen state:
Client: "TUNNEL SEC" Profile: "branch-ipsec-profile" Map-name: "Tunnel0-head-0"

Executive Committee Chair
Michigan Association of Railroad Passengers
537 Shirley St NE Grand Rapids, MI 49503-1754 Phone: 616.581.8010
E-mail: awilliam at whitemice.org GPG#D95ED383 

More information about the Swan mailing list