topic Re: ASA problem with IPSEC VPN data not passing in Network Security

ASA problem with IPSEC VPN data not passing

rupam_chakra1983 — Mon, 11 Mar 2019 17:36:41 GMT

I am facing a starnge problem .

I have attached the diagram that i could make best.

Now problem is that:

I can ping from 172.16.15.0 > 10.10.16.0/24( all the IP address)

I can ping from 172.16.15.0(any ip) > 10.10.16.22 ( single ip pass )

I can ping from 172.16.15.0(any ip) > 10.10.16.X ( all other ip except .22 fails )

I tried extended ping from router interface ip : 10.10.16.254 ( secondary ) to 172.16.15.0 ( all ip) and it is success.

The configuration and ACL ( Both side) seems to be ok, VPN Tunnel is also up thats why the data is passing and pinging.

Also we found that there are ACL hits in the router, But there is no ACL hits in the ASA ,also there is no duplicate ACL so there is no chance of hitting any other ACL.

Also single inteface in the router has been used for LAN as well as WAN and WAN connectivity is via wireless(ISP)

Plz find the config as below , As i can't share all the config and VPN details i am partially sharing the required one.

Router:
------------------ show version ------------------

Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T10 , RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 14-Sep-09 12:48 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

SUZSOUTH-BGHALLI_WTG-TATANET uptime is 1 hour, 29 minutes
System returned to ROM by power-on
System image file is "flash:c1841-advipservicesk9-mz.124-15.T10.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 1841 (revision 7.0) with 236544K/25600K bytes of memory.
Processor board ID FHK135270VD
2 FastEthernet interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

interface FastEthernet0/1
ip address 10.10.16.254 255.255.255.0 secondary
ip address 10.100.134.2 255.255.255.0 secondary
ip address 121.243.2.154 255.255.255.252
duplex auto
speed auto
crypto map Outside-Map

ip route 0.0.0.0 0.0.0.0 121.243.2.153

ip access-list extended Site_B_map
permit ip 10.10.16.0 0.0.0.255 10.101.150.0 0.0.0.255
permit ip 10.10.16.0 0.0.0.255 172.16.15.0 0.0.0.255

====================================================================
ASA:

interface GigabitEthernet0/0
description ### WAN Interface ###
nameif Outside
security-level 0
ip address 122.184.59.100 255.255.255.224 standby 122.184.59.101
!
interface GigabitEthernet0/1
description ### LAN Interface ###
nameif Inside
security-level 100
ip address 10.102.3.15 255.255.255.0 standby 10.102.3.14

interface GigabitEthernet0/2
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/3
nameif Outside-Backup
security-level 0
ip address 121.242.42.4 255.255.255.192
!

access-list ASA-Site-B-ACL extended permit ip 172.16.15.0 255.255.255.0 10.10.16.0 255.255.255.0
access-list ASA-Site-B-ACL extended permit ip 10.11.150.0 255.255.255.0 10.10.16.0 255.255.255.0

access-list ASA-Site-B-ACL extended permit ip 10.101.150.0 255.255.255.0 10.10.16.0 255.255.255.0

Route:
route Outside 0.0.0.0 0.0.0.0 122.184.59.97 1 track 1
route Outside 0.0.0.0 0.0.0.254 122.184.59.97 1

ASA Version: 7.2(4)

Any help is appreciated

Thanks

Rupam

Re: ASA problem with IPSEC VPN data not passing

Jennifer Halim — Sat, 24 Apr 2010 03:56:52 GMT

Try to disable "ip cef" on the router.

Re: ASA problem with IPSEC VPN data not passing

rupam_chakra1983 — Sat, 24 Apr 2010 05:11:06 GMT

Thanks for your response.

I will try to disable cef on the router, But can you plz let me know how cef can be a problem.

As cef seems to be used for fast switching based on the ip routing table,

HOwever after dsabling cef also the problem is still there

Appreciate your response.

Re: ASA problem with IPSEC VPN data not passing

Jennifer Halim — Sat, 24 Apr 2010 08:45:40 GMT

I've seen many occasions where disabling cef resolves connectivity issue when configuration looks perfect. Just something to try that might resolve the issue.

Another check would be to see if the host that you are trying to reach has personal firewall that might be blocking inbound connection from different subnet which is again always the case that would prevent connectivity.

Re: ASA problem with IPSEC VPN data not passing

rupam_chakra1983 — Sun, 25 Apr 2010 06:59:28 GMT

Also i have a doubt as why my acl in the ASA is not hitting .

Also there is no duplicate ACL , so no chance of hitting any false ACL.

But my ACL is hitting in the router side,its really confused.

Re: ASA problem with IPSEC VPN data not passing

skint — Sun, 25 Apr 2010 10:16:36 GMT

/32 route pointing towards ASA, but /24 is not? I would try the packet-tracer command here, being sure to run it twice and move troubleshooting further in from there.

-skint

Re: ASA problem with IPSEC VPN data not passing

rupam_chakra1983 — Sun, 25 Apr 2010 14:27:20 GMT

Tanks for reply

What i understand is that among the mentioned two routes in ASA

route Outside 0.0.0.0 0.0.0.0 122.184.59.97 1 track 1
route Outside 0.0.0.0 0.0.0.254 122.184.59.97 1

the second one " route Outside 0.0.0.0 0.0.0.254 122.184.59.97 1 " this route format is not correct .

and we need to remove it and then check.

Re: ASA problem with IPSEC VPN data not passing

Federico Coto Fajardo — Sun, 25 Apr 2010 15:21:13 GMT

Correct.

The first line is a default gateway with a metric 1 and being tracked.

The second line is incorrect.

Federico.

Re: ASA problem with IPSEC VPN data not passing

rupam_chakra1983 — Mon, 26 Apr 2010 09:11:05 GMT

I have removed the route and also dsabled cef in the remote router but no hope,

still problem is there, also plz let me know how idaelly the routing should ne for ipsec.

1. The route toward the remote subnet houls be pointed to ASA next hop or to the remote ipsec peer .

I have a doubt and also why my ACL is not hitting the ASA

Re: ASA problem with IPSEC VPN data not passing

skint — Mon, 26 Apr 2010 12:26:50 GMT

The route to the remote network should point to the ASA.

-skint

Re: ASA problem with IPSEC VPN data not passing

rupam_chakra1983 — Mon, 26 Apr 2010 14:12:39 GMT

There is a certain modification in my previous post that was a typo( copy-paste) errosult are:

Tried to ping from 172.16.15.0 > 10.10.16.0/24( all the IP address) : success

Tried to ping from 10.101.150.0(any ip) > 10.10.16.22 ( single ip pass ) : success

Tried ping from 10.101.150.0(any ip) > 10.10.16.X ( all other ip except .22 fails ) : Fail

Tried to ping from Any server in 10.101.150.0 > the router interface 10.10.16.254 : success

I tried extended ping from router interface ip : 10.10.16.254 ( secondary ) to 10.101.150.0 ( random chekced live ip) and it is success.

Re: ASA problem with IPSEC VPN data not passing

Jennifer Halim — Mon, 26 Apr 2010 14:32:00 GMT

Check that all other ip in the 10.10.16.0/24 subnet does not have personal firewall that blocks incoming connection from different subnets.

If you can ping 10.10.16.22 and 10.10.16.254, that means the VPN is up and running fine, as crypto ACL is configured on subnet base (10.10.16.0/24).

99% of the time, it's the host itself that has personal firewall that blocks incoming connection.

Re: ASA problem with IPSEC VPN data not passing

rupam_chakra1983 — Mon, 26 Apr 2010 14:40:21 GMT

I have checked and there is no personal firewall on end device as one of the device is pinging.

Second thing if data is passing i should get hits in ACL but i am not getting any hits, what can be the reason for that.

The end device are not client PC they are some node which send collection data from equipment to server.

What can be the reason for not getting ACL hits i am running code 7.2(4) in ASA.

Thanks.

Re: ASA problem with IPSEC VPN data not passing

skint — Mon, 26 Apr 2010 14:44:43 GMT

Try running the following command:

packet-tracer input Inside icmp 172.16.15.1 8 0 10.10.16.21 det

See if it's hitting the encrypt step, based on your messages and not seeing the counters increment, it would appear to be a routing issue.

-skint

Re: ASA problem with IPSEC VPN data not passing

rupam_chakra1983 — Mon, 26 Apr 2010 14:48:57 GMT

I have done the packet tracer from GUI and it is getting passed and permitting from inside to outside the report says success , but i can't find out which ACL it is hitting in the tracer.

Is there any other way to check.

Re: ASA problem with IPSEC VPN data not passing

skint — Mon, 26 Apr 2010 14:51:35 GMT

Try it from CLI, you can see if the action if VPN encrypt or VPN drop. You should also see an increment on your interesting traffic ACL.

-skint

Re: ASA problem with IPSEC VPN data not passing

rupam_chakra1983 — Tue, 27 Apr 2010 14:51:39 GMT

Thanks to all of you for sharing your ideas.

It seems that the packet for some of the remote device are nt reaching the remote router interface,

It may be a problem and we are planning to test the same.

Also at the remote end my router has oly one inetrface configured for LAN and WAn and Lan ip i have given as seondary and wan ip as primary to same interface.

.22 is a end host connected to the common switch where router and wireless device is connceted.

.22 is able to ping but the other ip cann't able to ping (.21,.23 etc)those are some power rating device, But from the Router LAN interface was able to ping the device the de the

Re: ASA problem with IPSEC VPN data not passing

rupam_chakra1983 — Thu, 06 May 2010 08:55:29 GMT

Will disabling proxy arp in the router(remote) side help in this case