topic Re: Weird One Way VPN tunnel issue in Network Security

Weird One Way VPN tunnel issue

IT Dept — Mon, 11 Mar 2019 22:16:16 GMT

Site A ASA5550 with vlan1, vlan2, and vlan3 <~~ Headquarter

Site B ASA5510 with vlan1

Site C ASA5505 with vlan1

Site A is a HQ and we have Site-to-Site VPN set for all sites with IPsec IKEv1 IPsec

Site A <--> Site B

Site A <--> Site C

Problem is on Site A HQ to Site B. For some reason VPN tunnel only establishes in one direction Site B to Site A but not Site A to Site B. When I logout the Site-to-Site VPN for Site A <-> Site B, there is no way for Site A to ping or connect to any server to Site B unless Site B ping or establish connections to Site A first, then Site A can ping or connect to Site B afterwards. The get around right now is I will need to ask someone from SIte B to ping Site A vlan1, vlan2, and vlan3 so that I can connect from Site A to Site B. All ASA is on the latest 8.4(3) version.

Site A <~> Site C works perfect fine without any probelm!! When I logout the Site-to-Site VPN for Site A <~> SIte C, the VPN tunnel established right away from either Site A to Site C or Site C to Site A.

Any suggestion on what should I look for before posting any configurations?

Thank you in advance. 😃

Weird One Way VPN tunnel issue

rizwanr74 — Wed, 18 Jan 2012 20:10:01 GMT

First, please check whether you have a static route pushing site B traffic toward to default gateway on Site "A " ASA5550.

if that does not help, please copy your config on the forum for easy of trouble shooting from ASA5550.

Thanks

Rizwan Rafeek

Weird One Way VPN tunnel issue

Julio Carvajal — Wed, 18 Jan 2012 20:13:49 GMT

Hello,

Can you check the crypto ACL configuration on both sides and paste it in here so we can take a look at it?

Regards,

Julio

Weird One Way VPN tunnel issue

IT Dept — Wed, 18 Jan 2012 21:14:12 GMT

Thanks for your quick reply rizwanr74! Yes we do have static routes setup on Site A ASA5550 and both Site B and Site C outside interface are there with Site A Gateway IP on it.

Weird One Way VPN tunnel issue

IT Dept — Wed, 18 Jan 2012 21:27:04 GMT

Thanks for your reply Julio. What command should I type in to show just the cryptop ACL configuration? I'm doing my best to show just the information you guys are looking for instead of the whole configuration file.

Weird One Way VPN tunnel issue

Julio Carvajal — Wed, 18 Jan 2012 21:30:07 GMT

Hello,

Under the crypto maps, you will see a match x.x.x.x ( where the x.x.x is the ACL that we are looking for)

We need both sites ACL (Branch and Site C)

Regards,

Julio

Re: Weird One Way VPN tunnel issue

IT Dept — Wed, 18 Jan 2012 22:32:38 GMT

Is that what you are looking for? THANKS!!!

Site A HQ ASA

crypto map outside_map 3 match address outside_cryptomap_2

crypto map outside_map 3 set peer (Site B ISP IP)

crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 3 set reverse-route

crypto map outside_map 5 match address outside_cryptomap_3

crypto map outside_map 5 set peer (Site C ISP IP)

crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

Site B Branch ASA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer (Site A ISP IP)

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set reverse-route

crypto map outside_map 3 match address outside_cryptomap

crypto map outside_map 3 set peer (Site C ISP IP)

crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 3 set reverse-route

Site C Branch ASA

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set peer (Site A ISP IP)

crypto map outside_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map0 1 set reverse-route

crypto map outside_map0 2 match address outside_cryptomap_1

crypto map outside_map0 2 set peer (Site B ISP IP)

crypto map outside_map0 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map0 2 set reverse-route

Re: Weird One Way VPN tunnel issue

Julio Carvajal — Wed, 18 Jan 2012 23:06:16 GMT

Hello,

Now on the ASA on Site A, please get the following

show run access-list outside_cryptomap_2

Now on the ASA on Site B, please get the following

show run access-list address outside_1_cryptomap

Regards,

Re: Weird One Way VPN tunnel issue

IT Dept — Wed, 18 Jan 2012 23:24:10 GMT

Site A HQ ASA

show run access-list outside_cryptomap_2

access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_12

Site B Branch ASA

show run access-list outside_1_cryptomap

access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object-group SiteA-Network

Thank You!!

Re: Weird One Way VPN tunnel issue

Julio Carvajal — Wed, 18 Jan 2012 23:57:26 GMT

Hello IT,

ASA HQ Site A

On the Site A HQ ASA

Can you look for the configuration of this Object group DM_INLINE_NETWORK_12, Is this the network on the other site ( Site B) ?

Regards,

Julio

Re: Weird One Way VPN tunnel issue

IT Dept — Thu, 19 Jan 2012 00:22:12 GMT

Julio,

DM_INLINE_NETWORK_12 is only exited on Site A HQ ASA under outside_cryptomap_2

Source: Site A vlan1, Site A vlan2, Site A vlan3

Destination: Site B Network

Service: IP

I don't see any DM_INLINE_NETWORK_12 under Site B ASA. I believed DM_INLINE_NETWORK_12 was created automatically by using the ASDM wizard (some one else created long ago)

Thanks!

Re: Weird One Way VPN tunnel issue

Julio Carvajal — Thu, 19 Jan 2012 00:51:36 GMT

Hello,

On Site A:

Please do the following:

packet-tracer input inside tcp x.x.x.x (Host ip on vlan A site A) 1025 x.x.x.x (Host on other site of the tunnel-SiteB) 80

Regards,

Julio

Weird One Way VPN tunnel issue

IT Dept — Thu, 19 Jan 2012 01:06:09 GMT

Site A HQ ASA:

packet-tracer input inside tcp x.x.x.x (VLAN1 IP on Site A) 1025 x.x.x.x (Host IP on Site B) 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in SiteB-network 255.255.0.0 outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: FILTER

Subtype: filter-ftp

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FILTER

Subtype: filter-url

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8 destination static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10

Additional Information:

Static translate x.x.x.x (VLAN1 IP Address)/1025 to x.x.x.x (VLAN1 IP Address)/1025

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 644050669, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Weird One Way VPN tunnel issue

Julio Carvajal — Thu, 19 Jan 2012 02:25:04 GMT

Hello,

On the packet tracer we can see is hitting a static rule, thing that should not happen!

Can we see the show run static, show run nat, sh run global.. And the ACLs for the nat 0( you will see a nat statement with an ID of 0 holding an ACL, I would like to see that acl-Show run acl xxxx (name)

Regards,

Weird One Way VPN tunnel issue

IT Dept — Thu, 19 Jan 2012 17:55:38 GMT

Julio,

I tired show run-config static and show run-config global but both doesn't work... not sure why... I did not see any NAT 0 on my configure file or what exact command do I need to type in to find out? Please see below for everything I found related to NAT and ACL

Thanks again for all of your help!

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Site A ASA show run nat

nat (inside,outside) source static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8 destination static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10

object network inside-network

nat (inside,outside) dynamic outside-defaultnat

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_3

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_10

access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_12

Weird One Way VPN tunnel issue

Julio Carvajal — Thu, 19 Jan 2012 18:26:34 GMT

Hello,

Yes, the nat is properly configured, can you check the show run route?

There got a be a route going to the DM_INLINE_NETWORK_10 going to the outside ( it my be a route outside 0.0.0.0 0.0.0.0)

Can you confirm that?

Regards,

Julio

Weird One Way VPN tunnel issue

IT Dept — Thu, 19 Jan 2012 18:46:30 GMT

Julio,

Site A ASA show run route

route inside inside-network 255.255.252.0 10.255.255.254 1

route inside x.x.x.x (VLAN 1 IP) 255.255.0.0 10.255.255.254 1

route inside x.x.x.x (VLAN 2 IP) 255.255.0.0 10.255.255.254 1

route inside x.x.x.x (VLAN 3 IP) 255.255.0.0 10.255.255.254 1

route outside Site B-network 255.255.0.0 x.x.x.x 1 (Site A Host)

route outside Site C-network 255.255.0.0 x.x.x.x 1 (Site A Host)

That's the thing I don't understand.. Site C network got similar setting as Site B on Site A ASA and it is working fine... =(

Thanks!

Weird One Way VPN tunnel issue

Julio Carvajal — Thu, 19 Jan 2012 18:55:11 GMT

Hello,

Yes, I understand what you mean. Can you check the transform-set used on the Site A with the Site B transform set?

Regards,

Julio

Weird One Way VPN tunnel issue

IT Dept — Thu, 19 Jan 2012 19:21:47 GMT

Julio,

What command do you want me to type in to check on the transform set?

Thants the thing.. I don't think the probelm is on the site-to-site VPN settings because the tunnel works fine as long as Site B established the connections first by Pinging/connectiong to anything from Site A. Site B and Site C are using the same Site to site VPN Group Policy on Site A ASA.

Thanks!

Weird One Way VPN tunnel issue

Julio Carvajal — Thu, 19 Jan 2012 21:21:34 GMT

Hello IT,

Correct, but the thing is the packet tracer shows that everything is working fine on this site (A). So my next question would be:

Is site B receiving the traffic?

For that you can do a capture from one host on site A to one host on site B

access-list test permit ip host_A_ip host_b_ip

access-list test permit ip host_b_ip host_A_ip

capture capin access-list test interface inside

You should do this configuration on both ASAS.

Then do a Show cap capin on both ASAs, and provide the output.....

Regards,

Julio