topic Unable to Ping ASA Subinterface Across VPN Tunnel in Network Security

Unable to Ping ASA Subinterface Across VPN Tunnel

Darren Roback — Tue, 12 Mar 2019 01:40:46 GMT

Hello -

I have a remote ASA with four subinterfaces configured. All four subnets participate in a site-to-site VPN tunnel back to corporate. Currently I'm unable to ping the MGMT subinterface, although I have configured ICMP inspection as well as management-access. Running a debug on ICMP trace shows that, while I am trying to ping 10.33.2.1, the request comes across the debug as 10.33.0.1 (Data_VLAN subinterface).

Any ideas where I'm going wrong??

ASA Version 8.3(1)

hostname VA-4500-ASA-LAN-5505-1

domain-name xxxxxxxx.com

enable password <removed>

passwd <removed>

no names

interface Vlan2

nameif Data_VLAN

security-level 100

ip address 10.33.0.1 255.255.255.0

interface Vlan6

nameif Voice_VLAN

security-level 100

ip address 10.33.1.1 255.255.255.0

interface Vlan10

nameif MGMT_VLAN

security-level 100

ip address 10.33.2.1 255.255.255.0

interface Vlan56

nameif Video_VLAN

security-level 100

ip address 10.33.3.1 255.255.255.0

interface Vlan99

nameif Outside

security-level 0

ip address xxxxxxxx 255.255.255.252

interface Ethernet0/0

description Connected to Internet Router

switchport access vlan 99

interface Ethernet0/1

description Connected to 2960 Switch

switchport trunk allowed vlan 2,6,10,56

switchport trunk native vlan 10

switchport mode trunk

interface Ethernet0/2

switchport access vlan 2

interface Ethernet0/3

switchport access vlan 2

interface Ethernet0/4

switchport access vlan 2

interface Ethernet0/5

switchport access vlan 2

interface Ethernet0/6

switchport access vlan 2

interface Ethernet0/7

switchport access vlan 2

ftp mode passive

clock timezone EST -5

clock summer-time DST recurring

dns domain-lookup MGMT_VLAN

dns server-group DefaultDNS

retries 3

timeout 5

name-server 10.0.204.10

name-server 10.100.204.10

domain-name xxxxxxxx.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network Data_VLAN

subnet 10.33.0.0 255.255.255.0

object network Voice_VLAN

subnet 10.33.1.0 255.255.255.0

object network MGMT_VLAN

subnet 10.33.2.0 255.255.255.0

object network Video_VLAN

subnet 10.33.3.0 255.255.255.0

access-list netflow-export extended permit ip any any

access-list Outside_Cryptomap_1 extended permit ip 10.33.0.0 255.255.255.0 any

access-list Outside_Cryptomap_1 extended permit ip 10.33.1.0 255.255.255.0 any

access-list Outside_Cryptomap_1 extended permit ip 10.33.2.0 255.255.255.0 any

access-list Outside_Cryptomap_1 extended permit ip 10.33.3.0 255.255.255.0 any

pager lines 24

logging enable

logging timestamp

logging buffer-size 512000

logging buffered debugging

logging trap notifications

logging asdm notifications

logging host MGMT_VLAN 10.0.8.11

no logging message 106015

no logging message 313001

no logging message 313008

no logging message 106023

no logging message 710003

no logging message 106100

no logging message 302015

no logging message 302014

no logging message 302013

no logging message 302018

no logging message 302017

no logging message 302016

no logging message 302021

no logging message 302020

flow-export template timeout-rate 1

flow-export delay flow-create 60

mtu Data_VLAN 1500

mtu Voice_VLAN 1500

mtu MGMT_VLAN 1500

mtu Video_VLAN 1500

mtu Outside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (Data_VLAN,any) source static Data_VLAN Data_VLAN

nat (Voice_VLAN,any) source static Voice_VLAN Voice_VLAN

nat (Video_VLAN,any) source static Video_VLAN Video_VLAN

nat (MGMT_VLAN,any) source static MGMT_VLAN MGMT_VLAN

route Outside 0.0.0.0 0.0.0.0 50.199.31.202 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server ACS protocol tacacs+

aaa-server ACS (MGMT_VLAN) host 10.0.8.250

timeout 5

key xxxxxxxx

aaa-server ACS (MGMT_VLAN) host 10.39.157.165

timeout 5

key xxxxxxxx

aaa authentication enable console ACS LOCAL

aaa authentication http console ACS LOCAL

aaa authentication ssh console ACS LOCAL

aaa authentication telnet console ACS LOCAL

http server enable

http xxxxxxxx 255.255.255.0 Outside

http xxxxxxxx 255.255.255.192 Outside

http 10.0.0.0 255.0.0.0 MGMT_VLAN

http redirect MGMT_VLAN 80

http redirect Outside 80

snmp-server host MGMT_VLAN 10.0.8.11 community ***** version 2c

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map Outside_Map 1 match address Outside_Cryptomap_1

crypto map Outside_Map 1 set peer 192.64.157.61

crypto map Outside_Map 1 set transform-set ESP-AES-128-SHA

crypto map Outside_Map interface Outside

crypto isakmp enable Outside

crypto isakmp policy 1

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh scopy enable

ssh 0.0.0.0 0.0.0.0 Data_VLAN

ssh 10.0.0.0 255.0.0.0 MGMT_VLAN

ssh 0.0.0.0 0.0.0.0 MGMT_VLAN

ssh xxxxxxxx 255.255.255.0 Outside

ssh xxxxxxxx 255.255.255.192 Outside

ssh timeout 5

ssh version 2

console timeout 0

management-access MGMT_VLAN

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.0.4.21 prefer

tftp-server MGMT_VLAN 10.0.81.160 VA-4500-ASA-LAN-5505-1_Config

webvpn

username cisco password <removed> privilege 15

tunnel-group xxxxxxxx type ipsec-l2l

tunnel-group xxxxxxxx ipsec-attributes

pre-shared-key *****

class-map netflow-export-class

match access-list netflow-export

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map netflow-policy

class netflow-export-class

class class-default

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

inspect ip-options

inspect icmp

class class-default

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:4fef1b392d267ef2da40dca56aad1687

: end

Unable to Ping ASA Subinterface Across VPN Tunnel

Julio Carvajal — Wed, 08 May 2013 18:51:01 GMT

Hello Darren,

while I am trying to ping 10.33.2.1, the request comes across the debug as 10.33.0.1 (Data_VLAN subinterface

Do you mean that you see the destination being 10.33.0.1 or the source of the ICMP packet being 10.33.0.1

Regards

Unable to Ping ASA Subinterface Across VPN Tunnel

Darren Roback — Thu, 09 May 2013 16:14:00 GMT

Hello -

I've performed a debug on ICMP traffic, and here's what I'm seeing from two different stations trying to ping 10.33.2.1. It's interesting as it lists the destination as the Data_VLAN subinterface (10.33.0.1).

ICMP echo request from 10.0.8.11 to 10.33.0.1 ID=288 seq=3947 len=23

ICMP echo request from 10.0.81.160 to 10.33.0.1 ID=1 seq=14 len=32

ICMP echo request from 10.0.8.11 to 10.33.0.1 ID=288 seq=3959 len=23

ICMP echo request from 10.0.81.160 to 10.33.0.1 ID=1 seq=15 len=32

Definitely a weird one!!

Darren

Unable to Ping ASA Subinterface Across VPN Tunnel

Julio Carvajal — Thu, 09 May 2013 16:45:42 GMT

Hello Darren,

Can you change the any keyword on the nat statements to be as specific as possible.

Instead of "any" using the right output interface?

Let me know when you do the changes

Unable to Ping ASA Subinterface Across VPN Tunnel

Darren Roback — Thu, 09 May 2013 17:58:02 GMT

I've updated the NAT translations to the following, with the same result...

nat (MGMT_VLAN,Outside) source static MGMT_VLAN MGMT_VLAN

nat (Data_VLAN,Outside) source static Data_VLAN Data_VLAN

nat (Voice_VLAN,Outside) source static Voice_VLAN Voice_VLAN

nat (Video_VLAN,Outside) source static Video_VLAN Video_VLAN

Thanks
Darren

Unable to Ping ASA Subinterface Across VPN Tunnel

Julio Carvajal — Thu, 09 May 2013 19:22:03 GMT

Hello Darren,

What happens if you do

ping MGMT_VLAN 10.0.8.11

Also can you get as many logs as possible from the ICMP session??

Have you clear the xlate table after the changes?

Let me know

Unable to Ping ASA Subinterface Across VPN Tunnel

Darren Roback — Thu, 09 May 2013 19:41:08 GMT

Interestingly enough, if you source the ping from the MGMT_VLAN subinterface, it will work properly. I have cleared the XLATE and CONN table after making the NAT changes to no avail.

Here's the output from an ICMP debug. Note that I am trying to ping 10.33.2.1 from 10.0.8.11 and 10.0.81.160.

ICMP echo request from 10.0.8.11 to 10.33.0.1 ID=288 seq=3947 len=23

ICMP echo request from 10.0.81.160 to 10.33.0.1 ID=1 seq=14 len=32

ICMP echo request from 10.0.8.11 to 10.33.0.1 ID=288 seq=3959 len=23

ICMP echo request from 10.0.81.160 to 10.33.0.1 ID=1 seq=15 len=32

Unable to Ping ASA Subinterface Across VPN Tunnel

Julio Carvajal — Thu, 09 May 2013 19:49:51 GMT

Hello Darren,

Okay ,.. I would like to see the logs now, not the debugs,

I will wait for them,

Regards

Unable to Ping ASA Subinterface Across VPN Tunnel

Darren Roback — Thu, 09 May 2013 20:15:17 GMT

Below are the logs - thanks

VA-4500-ASA-LAN-5505-1# sh log

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Debug-trace logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: level debugging, 285166 messages logged

Trap logging: level notifications, facility 20, 1736 messages logged

Logging to MGMT_VLAN 10.0.8.11

History logging: disabled

Device ID: disabled

Mail logging: disabled

ASDM logging: level notifications, 2191 messages logged

May 09 2013 09:28:05: %ASA-5-111008: User 'droback' executed the 'clear logging buffer' command.

May 09 2013 09:28:05: %ASA-5-111010: User 'droback', running 'CLI' from IP 192.64.157.42, executed 'clear logging buffer'

May 09 2013 09:28:07: %ASA-7-609002: Teardown local-host Outside:10.0.81.160 duration 0:00:02

May 09 2013 09:28:07: %ASA-7-609002: Teardown local-host identity:10.33.0.1 duration 0:00:02

May 09 2013 09:28:08: %ASA-7-609001: Built local-host Outside:192.175.48.42

May 09 2013 09:28:10: %ASA-7-609001: Built local-host Outside:10.0.81.160

May 09 2013 09:28:10: %ASA-7-609001: Built local-host identity:10.33.0.1

May 09 2013 09:28:12: %ASA-7-609002: Teardown local-host Outside:10.0.81.160 duration 0:00:02

May 09 2013 09:28:12: %ASA-7-609002: Teardown local-host identity:10.33.0.1 duration 0:00:02

May 09 2013 09:28:14: %ASA-7-111009: User 'droback' executed cmd: show logging

May 09 2013 09:28:15: %ASA-7-609001: Built local-host Outside:10.0.81.160

May 09 2013 09:28:15: %ASA-7-609001: Built local-host identity:10.33.0.1

May 09 2013 09:28:17: %ASA-7-609002: Teardown local-host Outside:10.0.81.160 duration 0:00:02

May 09 2013 09:28:17: %ASA-7-609002: Teardown local-host identity:10.33.0.1 duration 0:00:02

May 09 2013 09:28:20: %ASA-7-609001: Built local-host Outside:10.0.81.160

May 09 2013 09:28:20: %ASA-7-609001: Built local-host identity:10.33.0.1

May 09 2013 09:28:20: %ASA-7-609001: Built local-host Outside:192.175.48.6

May 09 2013 09:28:22: %ASA-7-609002: Teardown local-host Outside:10.0.81.160 duration 0:00:02

May 09 2013 09:28:22: %ASA-7-609002: Teardown local-host identity:10.33.0.1 duration 0:00:02

May 09 2013 09:28:22: %ASA-7-609001: Built local-host identity:10.33.0.1

May 09 2013 09:28:24: %ASA-7-609002: Teardown local-host identity:10.33.0.1 duration 0:00:02

May 09 2013 09:28:24: %ASA-7-609001: Built local-host identity:10.33.0.1

May 09 2013 09:28:24: %ASA-7-111009: User 'droback' executed cmd: show logging

May 09 2013 09:28:25: %ASA-7-609001: Built local-host Outside:10.0.81.160

Unable to Ping ASA Subinterface Across VPN Tunnel

Julio Carvajal — Fri, 10 May 2013 04:13:03 GMT

Hello Darren,

Please check your inbox,

I will analize the logs

Regards