topic Try adding this command: in VPN

Cannot ping remote site over Remote Access VPN

sabyasachi161 — Sat, 22 Feb 2020 04:53:18 GMT

Hi I've a Site to Site tunnel running between a ASA 5520 (8.2 (2) ) and ASA 5510 (8.2(2)) code.

The tunnels works fine and i can ping both ways.

I've a remote Access VPN terminating to the 5520. Now i can ping anything within 5520 but not across ie nothing on 5540.

Similarly if i connect to 5540 i can ping 5540 but not 5520.

I had done split tunnel previously but now i pushed a default route and it still the same.

when i do a debug icmp trace on 5520 i see debugs when i ping the 5520 but no icmp debugs when i ping the 5510.

Checked all configuration but it i did not found anything.

Please help.

Config files are attached.

Okay after huge debugging i found this in asp drop

8: 13:22:07.610350 10.10.80.201 > 10.10.60.1: icmp: echo request Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
11: 13:22:10.992441 10.10.80.201 > 10.10.60.1: icmp: echo request Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
18: 13:22:15.719521 10.10.80.201 > 10.10.60.1: icmp: echo request Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation

I checked on the firewall and there is no resource or connection crunch

privatis(config)# sh mem
Free memory:       348097056 bytes (65%)
Used memory:       188773856 bytes (35%)
-------------     ----------------
Total memory:      536870912 bytes (100%)

privatis(config)# sh resource usage
Resource              Current         Peak      Limit        Denied Context
SSH                         1            4          5             0 System
Conns                       6          325     280000             0 System
Xlates                      1          579        N/A             0 System
Hosts                      12          202        N/A             0 System

Not sure if this is a bug or something.

You'll need to extended your

Philip D'Ath — Sun, 10 Jul 2016 21:15:47 GMT

You'll need to extended your site to site VPN to also include the pool of IP addresses used for the remote access VPN. Then you'll need to check your NAT rules.

Hi Philip,

sabyasachi161 — Thu, 14 Jul 2016 16:10:44 GMT

Hi Philip,

Thanks for looking into this. I'm not sure if you have looked into the config yet.

Here are the snippets

nat (inside) 0 access-list vpn-nat0

access-list vpn-nat0 extended permit ip 10.10.80.0 255.255.254.0 10.10.60.0 255.255.254.0

ip local pool ra-pool 10.10.80.200-10.10.80.250 mask 255.255.254.0

This is the crypto map

crypto map cybertron 20 match address decepticons2
crypto map cybertron 20 set peer 207.166.133.2

access-list decepticons2 extended permit ip 10.10.80.0 255.255.254.0 10.10.60.0 255.255.254.0

Please note that both sites can access each other and the tunnel is up

However the Remote users cannot ping remote site but can ping local site.

I still see the same errors

Try adding this command:

Philip D'Ath — Thu, 14 Jul 2016 21:07:09 GMT

Try adding this command:

same-security-traffic permit intra-interface

Its already added

sabyasachi161 — Fri, 15 Jul 2016 11:00:25 GMT

Its already added

boot system disk0:/asa804-k8.bin
ftp mode passive
<--- More --->

same-security-traffic permit inter-interface

Hi,

Dina Odeh — Fri, 15 Jul 2016 16:34:52 GMT

Hi,

I checked the config you did and so far, they are fine on ASA5520. To you have a dynamic site to site between the two ASAs or static site to site ?

There is nothing dynamic here

sabyasachi161 — Sat, 16 Jul 2016 05:31:18 GMT

There is nothing dynamic here. The Peers has been statically defined on each firewall.

Any thoughts ?

NOTE: I added both Same-security command and there is no difference.

I just read the error more

Philip D'Ath — Sat, 16 Jul 2016 06:54:07 GMT

I just read the error more closely. It is complaining about a resource limitation. As you note, there does not appear to be a resource limitation. So perhaps we have a software bug. Can you upgrade to at least 8.4(7)?

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s2.html

Name: unable-to-create-flow
Flow denied due to resource limitation:
This counter is incremented and the packet is dropped when flow creation fails due to
a system resource limitation. The resource limit may be either:
1) system memory
2) packet block extension memory
3) system connection limit
Causes 1 and 2 will occur simultaneously with flow drop reason "No memory to complete
flow".
Recommendation:
- Observe if free system memory is low.
- Observe if flow drop reason "No memory to complete flow" occurs.
- Observe if connection count reaches the system connection limit with the command
"show resource usage".

Hi,

Dina Odeh — Sat, 16 Jul 2016 08:18:01 GMT

Hi,

Okay, I checked the config for ASA5510 but I couldn't find any site to site tunnel with 5520, that's why I asked if we have a dynamic there.

Mainly, we need to add in the crypto ACL on the 5510 ASA to permit the traffic to the VPN pool and fix NAT also there.

I changed the VPn pool ip

sabyasachi161 — Mon, 06 Mar 2017 08:13:47 GMT

I changed the VPn pool ip scope and that seems to have fixed the issue.

Earlier this pool was overlapping with Inside ip scope which caused the issue.