topic Re: VPN clients cannot access inside network in Network Security

VPN clients cannot access inside network

kenzummach — Fri, 21 Feb 2020 11:05:37 GMT

I have a ASA 5505 that I am using as a VPN appliance. The outside interface is connected to the DMZ (172.16.2.10) and the inside to our internal network (10.27.1.12). VPN clients are assigned an address in the range 10.27.2.2-10.27.2.20. A 1841 is the router and firewall for the network. Recently the ASA lost power when a UPS went down and now VPN clients can no longer access anything on the inside network. Config is attached. Help.

Re: VPN clients cannot access inside network

ajagadee — Tue, 11 Nov 2008 18:49:02 GMT

Hi,

Do a show crypto ipsec sa and look for packets encrypts and decrypts. If you are seeing decrypts and no encrypts, then check the routing on the IP Address that you are trying to access through the VPN Client. Could be the end host that you are trying to access does not know how to route the packets back to the ASA for the VPN Client Pool.

Regards,

Arul

*Pls rate if it helps*

Re: VPN clients cannot access inside network

kenzummach — Tue, 11 Nov 2008 18:59:22 GMT

Thanks for your response.

I tried running the show crypto ipsec sa and this is what I get:

There are no ipsec sas

Re: VPN clients cannot access inside network

kenzummach — Tue, 11 Nov 2008 20:07:20 GMT

I realized after I posted that I should have a connection active when running this command. Here is the results:

Result of the command: "show crypto ipsec sa"

interface: outside

Crypto map tag: outside_dyn_map, seq num: 20, local addr: 172.16.2.10

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.27.2.2/255.255.255.255/0/0)

current_peer: 169.130.14.253, username: kenz

dynamic allocated peer ip: 10.27.2.2

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 172.16.2.10, remote crypto endpt.: 169.130.14.253

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 208F45F5

inbound esp sas:

spi: 0x2026D973 (539416947)

transform: esp-3des esp-sha-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 4096, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 28406

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0x208F45F5 (546260469)

transform: esp-3des esp-sha-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 4096, crypto-map: outside_dyn_map

sa timing: remaining key lifetime (sec): 28406

IV size: 8 bytes

replay detection support: Y

So it looks like there are encrypts but no decrypts. What should I do now?