Weird VPN issue.

So today I got a call from a customer saying that the vpn between them and their billing company is down. I have no changed any config on our ASA and the other team said the same thing. I am only seeing decaps and no encaps and I am at a loss of what has caused this issue.

Here is the output of the cfg and the packet tracer results, any idea helps!

​

Only seeing decaps and no encaps.

 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 340, #pkts decrypt: 340, #pkts verify: 340 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: xxx.xxx.xxx.xxx/0, remote crypto endpt.: xxx.xxx.xxx.xxx/0 path mtu 1500, ipsec overhead 58(36), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 1D2031CF current inbound spi : 589530ED inbound esp sas: spi: 0x589530ED (1486172397) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 376832, crypto-map: mymap sa timing: remaining key lifetime (kB/sec): (3914980/27090) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x1D2031CF (488649167) transform: esp-3des esp-md5-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 376832, crypto-map: mymap sa timing: remaining key lifetime (kB/sec): (3915000/27090) IV size: 8 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 

​

Shadyside-ASA# packet-tracer input inside tcp 192.168.10.92 65230 172.20.1.245 443 detialed Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (inside,any) source static INT-COMPFELLOW-HOSTS INT-COMPFELLOW-HOSTS destination static COMPUTERFELLOWS-HOSTS COMPUTERFELLOWS-HOSTS Additional Information: NAT divert to egress interface outside Untranslate 172.20.1.245/443 to 172.20.1.245/443 Phase: 3 Type: NAT Subtype: Result: ALLOW Config: nat (inside,any) source static INT-COMPFELLOW-HOSTS INT-COMPFELLOW-HOSTS destination static COMPUTERFELLOWS-HOSTS COMPUTERFELLOWS-HOSTS Additional Information: Static translate 192.168.10.92/65230 to 192.168.10.92/65230 Forward Flow based lookup yields rule: in id=0xcb4dfba8, priority=6, domain=nat, deny=false hits=0, user_data=0xcb4dc918, cs_id=0x0, flags=0x0, protocol=0 src ip/id=192.168.10.92, mask=255.255.255.255, port=0, tag=0 dst ip/id=172.20.1.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 4 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xc826b6f0, priority=1, domain=nat-per-session, deny=true hits=2137, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 5 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xcb48d9f8, priority=0, domain=inspect-ip-options, deny=true hits=1645, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 6 Type: HOST-LIMIT Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0xcc1b2ba8, priority=0, domain=host-limit, deny=false hits=1323, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 7 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Forward Flow based lookup yields rule: out id=0xcb8eef68, priority=70, domain=encrypt, deny=false hits=1, user_data=0x0, cs_id=0xcb8e5058, reverse, flags=0x0, protocol=0 src ip/id=192.168.10.92, mask=255.255.255.255, port=0, tag=0 dst ip/id=172.20.1.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0 input_ifc=any, output_ifc=outside Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule 

Here is the firewall cfg that has not changed.

​

object network obj-192.168.10.6 host 192.168.10.6 object network obj-192.168.10.7 host 192.168.10.7 object network COMPUTERFELLOWS-HOSTS subnet 172.20.1.0 255.255.255.0 object network obj-192.168.10.12 host 192.168.10.12 object network obj-192.168.10.13 host 192.168.10.13 object network obj-192.168.10.64 host 192.168.10.64 object network obj-192.168.10.92 host 192.168.10.92 object network obj-192.168.10.63 host 192.168.10.64 object network obj-192.168.10.66 host 192.168.10.92 object-group network INT-COMPFELLOW-HOSTS network-object object obj-192.168.10.64 network-object object obj-192.168.10.92 network-object object obj-192.168.10.63 network-object object obj-192.168.10.66 access-list COMPUTERFELLOWS-VPN extended permit ip object-group INT-COMPFELLOW-HOSTS object COMPUTERFELLOWS-HOSTS crypto map mymap 2 match address COMPUTERFELLOWS-VPN crypto map mymap 2 set peer xxx.xxx.xxx.xxx crypto map mymap 2 set ikev1 transform-set ESP-3DES-MD5 crypto map mymap 2 set security-association lifetime seconds 28800 crypto map mymap 2 set security-association lifetime kilobytes 4608000 nat (inside,any) source static INT-COMPFELLOW-HOSTS INT-COMPFELLOW-HOSTS destination static COMPUTERFELLOWS-HOSTS COMPUTERFELLOWS-HOSTS tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l tunnel-group xxx.xxx.xxx.xxx ipsec-attributes ikev1 pre-shared-key ******