topic Re: asa&gre in Network Security

asa&gre

sergiu.campian — Mon, 11 Mar 2019 18:18:10 GMT

Hi.

I have problems with an ASA 5510 and GRE.

I can't make a gre tunnel from the inside network to a host on the internet. I only get to the part where I have to enter the username and password and there it breaks. I get a teardown gre connection in the logs exactly after 30 sec.

The inside network and outside network both have real ip addresses so I have no NAT configured and no need for NAT.

I tried fixup protocol pptp 1723 and inspect pptp.

The ACLs allow both gre and tcp 1723 both on the outside and on the inside (I also tried with allow ip any any to be sure it's not ACL related).

Any ideas?

Re: asa&gre

Nagaraja Thanthry — Thu, 29 Jul 2010 14:25:17 GMT

Hello,

Can you please post the output of "show service-policy" and "show asp drop"

commands? Please follow below steps before collecting the output:

-- Clear the counters i.e. clear service-policy & clear asp drop

-- Initiate a GRE tunnel session

-- Once it fails, issue "show service-policy" and "show asp drop"

Regards,

Re: asa&gre

sergiu.campian — Thu, 29 Jul 2010 14:32:09 GMT

Hello

Thanks for the reply. Here is the output:

Result of the command: "show service-policy"

Global policy:
Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 743, drop 0, reset-drop 0
      Inspect: ftp, packet 0, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: netbios, packet 3, drop 0, reset-drop 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0
      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
      Inspect: pptp, packet 14, drop 0, reset-drop 0

Interface inside10:
Service-policy: inside10-policy
    Class-map: inside10-class
      IPS: card status Up, mode inline fail-open, sensor vs0
        packet input 0, packet output 0, drop 0, reset-drop 0

Interface outside:
Service-policy: pptp_policy
    Class-map: pptp-port
      Inspect: pptp, packet 0, drop 0, reset-drop 0
    Class-map: outside-class
      IPS: card status Up, mode inline fail-open, sensor vs0
        packet input 0, packet output 0, drop 0, reset-drop 0

Result of the command: "show asp drop"

Frame drop:
First TCP packet not SYN (tcp-not-syn)                                     145
TCP failed 3 way handshake (tcp-3whs-failed)                                21
TCP RST/FIN out of order (tcp-rstfin-ooo)                                   21
Dropped pending packets in a closed socket (np-socket-closed)                2

Last clearing: 17:29:07 EEDT Jul 29 2010 by enable_15

Flow drop:

Last clearing: 17:29:07 EEDT Jul 29 2010 by enable_15

Re: asa&gre

Nagaraja Thanthry — Thu, 29 Jul 2010 14:43:17 GMT

Hello,

I see that you have an IPS module installed on the firewall. Can you bypass

the IPS module for the PPTP traffic and see if that helps?

Regards,

Re: asa&gre

sergiu.campian — Thu, 29 Jul 2010 14:45:48 GMT

I bypassed the IPS for all the traffic with the same result

Re: asa&gre

Jitendriya Athavale — Thu, 29 Jul 2010 16:02:11 GMT

can you collect some captures on the inside and outside of ASA, so that we can see where it is failing

also have you tried bypassing the firewall does it work fine (just to confirm that the configuration is fine)

any way the captures on ASA's inside and outside will tell us who and hopefully why the device is dropping the packet

Re: asa&gre

Nagaraja Thanthry — Thu, 29 Jul 2010 17:44:40 GMT

Hello,

What is the code version you are running on the firewall?

Regards,

Re: asa&gre

Diego Armando Cambronero Arias — Thu, 29 Jul 2010 20:10:06 GMT

Post the log level 7.

Post the config.