topic L2L VPN Issue in Network Security

L2L VPN Issue

rrivas — Mon, 11 Mar 2019 20:45:56 GMT

I have a L2L VPN between two ASA5510. The tunnel is up and passing traffic between 14 network pairs but two. I have checked that the interesting traffic is in the no nat ACL, in the crypto map ACL and in the interfaces permitted ACL in both sites. I have checked that crypto mal ACLs match in both sides. When I run "show crypto ipsec sa X.X.X.X" I get the following for the both ACL lines corresponding to the network pairs:

:: Site 1::

Pair 1 (10.10.1.0 ---> 10.10.3.0):

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 587, #pkts decrypt: 587, #pkts verify: 587

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

Pair 2 (10.10.19.0 ---> 10.10.3.0):

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 2199, #pkts decrypt: 2199, #pkts verify: 2199
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

::Site 2::

Pair 1 (10.10.3.0 --> 10.10.1.0)

#pkts encaps: 709, #pkts encrypt: 709, #pkts digest: 709

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 709, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

Pair 2 (10.10.3.0 --> 10.10.19.0)

#pkts encaps: 2667, #pkts encrypt: 2667, #pkts digest: 2667

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 2667, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

I have read a similar case resolved with a reset of the equipment in the site where the packets were not being encapsulated. But I don't think a reset should be the solution.

L2L VPN Issue

fgasimzade — Thu, 16 Jun 2011 05:43:06 GMT

Make sure routing is properly configured, that traffic from one subnet to another needs to go through ASA to be encrypted

L2L VPN Issue

rrivas — Thu, 16 Jun 2011 14:59:58 GMT

It is. The server in Site 2 are connected direct to the ASA with a switch. The gateways of these servers is the ASA.

L2L VPN Issue

Rafael Mendes — Thu, 16 Jun 2011 15:32:56 GMT

Post the ouput of comands:

debug crypto isakmp 7

debug crypto ipsec 7

After applying the commands, try to generate interesting traffic to force the peers to stabilish a vpn.

[]s

L2L VPN Issue

rrivas — Thu, 16 Jun 2011 22:11:11 GMT

I ping from site 2 to site 1, and those are the results from the ASDM debugging tool for the networks with problem:

Site 1:

Jun 16 2011

14:50:00

302020

10.10.3.2

512

10.10.19.38

Built inbound ICMP connection for faddr 10.10.3.2/512 gaddr 10.10.19.38/0 laddr 10.10.19.38/0

Jun 16 2011

13:23:18

302021

10.10.3.2

512

10.10.19.38

Teardown ICMP connection for faddr 10.10.3.2/512 gaddr 10.10.19.38/0 laddr 10.10.19.38/0

Site 2:

Jun 16 2011

15:46:50

302020

10.10.3.2

512

10.10.19.38

Built outbound ICMP connection for faddr 10.10.19.38/0 gaddr 10.10.3.2/512 laddr 10.10.3.2/512

Jun 16 2011

15:46:47

302021

10.10.19.38

10.10.3.2

512

Teardown ICMP connection for faddr 10.10.19.38/0 gaddr 10.10.3.2/512 laddr 10.10.3.2/512

L2L VPN Issue

Rafael Mendes — Fri, 17 Jun 2011 15:00:47 GMT

Do you have a nat, or exempt nat?

Are the two networks 10.10.1.0 and 10.10.190 in cryto map in site 1?

Did you check the routes from both sites?

Re: L2L VPN Issue

cco-bloom — Fri, 17 Jun 2011 16:39:36 GMT

Most like the issue is on 10.10.1.0 side of the firewall. As its not encrypting the packets. Plz check nat exempt and mask in crypto map. Btw , which version are u running.

Sent from Cisco Technical Support iPhone App

L2L VPN Issue

rrivas — Fri, 17 Jun 2011 16:56:53 GMT

I have exempt nat. Yes, they are, 10.10.1.0 & 10.10.19.0 are in the crypto map. If they weren't, they wouldn't appear in the "show crypto ipsec sa X.X.X.X" output. I don't have routes since network gateways are configured in the ASAs.

Re: L2L VPN Issue

rrivas — Fri, 17 Jun 2011 17:59:05 GMT

I thing so too or an IOS bug. asa822-k8 in both.

Re: L2L VPN Issue

cco-bloom — Fri, 17 Jun 2011 19:36:46 GMT

If you are running 8.22, then you are hitting buy CSCtd36473.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd36473