12-15-2019 10:25 PM
Hi,
We have an existing Remote Site using an ASA 5506. We're connected to this site via a site to site vpn. We've decided to switch to another provider for budgeting purposes and we've obtained a broadband to that site. The problem is they gave us a PPPoE /32 ip address and thus we'll have to make a few configuration changes. The primary thing I noticed is when we switched over to PPPoE is I can't ping the public ip, thus killing the site to site vpn. I even added an allow any any rule in the firewall but i still can't ping the public interface.
Is there anything that i should know to allow the public ip to be pingable when changing the ip from a static to a PPPoE in a Cisco ASA 5506?
THanks
Solved! Go to Solution.
03-03-2020 06:24 AM - edited 03-03-2020 06:25 AM
Session is being torn down. Reason: crypto map policy not found - see some logs failed one
Look at the below thread and change setting on Meraki and try
ASA diag tipds for reference :
12-16-2019 12:23 AM
Not sure if the provider allowed PING yes or no, check with provider that.
1. The site to Site VPN do not require Ping, as long they able to have communication.
2. check other required ports open for you to establish a tunnel ?
3. from the new provider you able to use the internet and other sites normally as expected as ISP provider?
12-22-2019 04:34 PM
1. The site to Site VPN do not require Ping, as long they able to have communication.
2. check other required ports open for you to establish a tunnel ?
3. from the new provider you able to use the internet and other sites normally as expected as ISP provider?
Yeah ping isn't required but I like to use it for troubleshooting.
I already did an any any rule in the i still can't ping google 8.8.8.8 from the PPPoE interface
the provider s
12-23-2019 12:54 AM
I already did an any any rule in the i still can't ping google 8.8.8.8 from the PPPoE interface
BB - This case different, first you need to have basic connectivity over the internet, before you establish the S2S VPN connection.
you need to fix this, post the configuration, the one not having ping to 8.8.8.8 ? is this 8.8.8.8 not pining after S2S config or before?
02-27-2020 11:28 PM
03-02-2020 08:35 AM
Some ASA not allowed to ping, so you wont be able to ping back the WAN Public IP address.
Can you post VPN config Both the side, and also look at the logs related to VPN, where do you see the issue Phase 1 or Phase2 ?
03-02-2020 11:06 PM - edited 03-02-2020 11:08 PM
Hi,
Sure, here is the config on my ASA
!
interface GigabitEthernet1/1
nameif outside
security-level 0
pppoe client vpdn group PLDT
ip address pppoe setroute
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
object-group network Group_Inside_Subnets
network-object 192.168.1.0 255.255.255.0
object-group network Group_HQ_Inside_Subnets
network-object 10.11.15.224 255.255.255.224
access-list 100 extended permit icmp any any
access-list outside_cryptomap extended permit ip object-group Group_Inside_Subnets object-group Group_HQ_Inside_Subnets
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 100.100.100.100
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ikev2 enable outside
crypto ikev1 enable outside
group-policy GroupPolicy_100.100.100.100 internal
group-policy GroupPolicy_100.100.100.100 attributes
vpn-tunnel-protocol ikev1 ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 100.100.100.100 type ipsec-l2l
tunnel-group 100.100.100.100 general-attributes
default-group-policy GroupPolicy_100.100.100.100
tunnel-group 100.100.100.100 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
I'm peering with Meraki so no cli output but here's the config on their end
set at Default
Phase 1
Encryption: 3DES
Auth: SHA1
lifetime: 28800
Phase 2
Encryption: AES256, AES192, AES128 3DES
Auth: SHA1, MD5
PFS Group: off
Lifetime: 28800
ASA is giving out these logs as well
5 Mar 03 2020 3:00:48 713259 Group = 100.100.100.100, IP = 100.100.100.100, Session is being torn down. Reason: crypto map policy not found
3 Mar 03 2020 3:00:48 713902 Group = 100.100.100.100, IP = 100.100.100.100, Removing peer from correlator table failed, no match!
3 Mar 03 2020 3:00:48 713061 Group = 100.100.100.100, IP = 100.100.100.100, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.11.15.128/255.255.255.224/0/0 local proxy 192.168.1.0/255.255.255.0/0/0 on interface outside
Phase 1 is fine though
5 Mar 03 2020 2:55:16 713119 Group = 100.100.100.100, IP = 100.100.100.100, PHASE 1 COMPLETED
Thanks!
03-03-2020 06:24 AM - edited 03-03-2020 06:25 AM
Session is being torn down. Reason: crypto map policy not found - see some logs failed one
Look at the below thread and change setting on Meraki and try
ASA diag tipds for reference :
03-04-2020 09:52 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide