Solved: ASA 5520 VPN tunnel up but not traffic

afanaras1961 · ‎11-02-2012

We just migrated from a single 5510 to a dual (failover) 5520, It seems that everything is working except the remote VPN. We can establish a tunnel and authenticate as local users, (going to LDAP when all is working) but no traffic is passing. I know I am overlooking something but cant see it.

Hope somebody might have an idea on what I need to do.

Thanks

Result of the command: "show cry ipsec sa"

interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 209.155.149.122

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.64.4.100/255.255.255.255/0/0)
      current_peer: 74.94.229.238, username: afanaras
      dynamic allocated peer ip: 10.64.4.100

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1733, #pkts decrypt: 1733, #pkts verify: 1733
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

local crypto endpt.: 209.155.149.122, remote crypto endpt.: 74.94.229.238

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 048CF11B
      current inbound spi : 260FEA7B

    inbound esp sas:
      spi: 0x260FEA7B (638577275)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 217088, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 24094
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x048CF11B (76345627)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 217088, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
         sa timing: remaining key lifetime (sec): 24094
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Julio Carvajal · ‎11-04-2012

Nat Traversal resolved the issue,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎11-02-2012

Hello Angelo,

Please provide the show run NAT,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

afanaras1961 · ‎11-02-2012

Hi Julio

this is what i get:

Result of the command: "show run nat"

nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0

Julio Carvajal · ‎11-02-2012

Hello,

Can you share the access-list inside_nat_0_outbund

Also can you let me know what is the subnet behind the other ASA or VPN tunnel endpoint?

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

afanaras1961 · ‎11-02-2012

The other end is a cisco client from a laptop, the ASA subnet outside is 255.255.255.248

the access list has all of our network as you can see

access-list inside_nat0_outbound; 358 elements; name hash: 0x467c8ce4

access-list inside_nat0_outbound line 1 extended permit ip Romulus-Internal 255.255.255.0 host 192.0.101.31 (hitcnt=0) 0xbe9f54ae

access-list inside_nat0_outbound line 2 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6 0x71e1e20d

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Romulus-Internal 255.255.255.0 (hitcnt=0) 0xbb6a746c

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Millender-Internal 255.255.255.0 (hitcnt=0) 0x6e2d0535

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 WCCCD-Internal 255.255.255.0 (hitcnt=0) 0x27acd775

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Sumpter-Internal 255.255.255.0 (hitcnt=0) 0x52aa2d76

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 FocusHope-Internal 255.255.255.0 (hitcnt=0) 0x0d958156

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Cadillac-Internal 255.255.255.0 (hitcnt=0) 0xc1cfceea

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Colo-Internal 255.255.255.0 (hitcnt=0) 0xc51970cd

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Romulus-VOIP 255.255.255.0 (hitcnt=0) 0x980f49c6

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 FocusHope-VOIP 255.255.255.0 (hitcnt=0) 0xc5044452

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Cadillac-VOIP 255.255.255.0 (hitcnt=0) 0x9f9536d2

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 WCCCD-VOIP 255.255.255.0 (hitcnt=0) 0x8090481c

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Millender-VOIP 255.255.255.0 (hitcnt=0) 0x2406880a

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Sumpter-VOIP 255.255.255.0 (hitcnt=0) 0x5a6618ea

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Colo-VOIP 255.255.255.0 (hitcnt=0) 0xb5bd2bab

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 MobileBranch 255.255.255.0 (hitcnt=0) 0xa60b700d

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 SegMobile 255.255.255.0 (hitcnt=0) 0x08829018

access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 192.168.249.0 255.255.255.0 (hitcnt=0) 0x3ffb9705

access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Romulus-Internal 255.255.255.0 (hitcnt=0) 0xa3a6016b

access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Millender-Internal 255.255.255.0 (hitcnt=0) 0x9acc25ca

access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 WCCCD-Internal 255.255.255.0 (hitcnt=0) 0x1a28fdba

access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Sumpter-Internal 255.255.255.0 (hitcnt=0) 0x3f664036

access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 FocusHope-Internal 255.255.255.0 (hitcnt=0) 0x818eb99c

access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Cadillac-Internal 255.255.255.0 (hitcnt=0) 0x15480008

access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Colo-Internal 255.255.255.0 (hitcnt=0) 0x64e2113a

access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Romulus-VOIP 255.255.255.0 (hitcnt=0) 0x7b54786e

access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 FocusHope-VOIP 255.255.255.0 (hitcnt=0) 0x69d4019a

access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Cadillac-VOIP 255.255.255.0 (hitcnt=0) 0x303641bd

access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 WCCCD-VOIP 255.255.255.0 (hitcnt=0) 0x30b2a77d

access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Millender-VOIP 255.255.255.0 (hitcnt=0) 0x1cb9e2e0

access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Sumpter-VOIP 255.255.255.0 (hitcnt=0) 0x7608782a

access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Colo-VOIP 255.255.255.0 (hitcnt=0) 0x23b05d7d

access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 MobileBranch 255.255.255.0 (hitcnt=0) 0x5c2eb431

+ the rest of the networks

Julio Carvajal · ‎11-02-2012

Hello Angelo,

Okay got what you mean,

So I will need the show run ip local pool

and the group policy used for the tunnel-group this remote clients are connecting from

Then I will be able to determine if it's a split tunnel or NAT issue,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

afanaras1961 · ‎11-02-2012

I can email you on your hotmail account the running config if that helps!

Result of the command: "show run ip local pool"

ip local pool PSCU 10.64.4.100-10.64.4.150 mask 255.255.255.0

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

wins-server value 10.64.0.11

dns-server value 10.64.0.11 10.64.4.21

vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value PSCU_Internal

default-domain none

split-dns value 10.64.0.11

address-pools value PSCU group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server value 10.64.0.11
dns-server value 10.64.0.11 10.64.4.21
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PSCU_Internal
default-domain none
split-dns value 10.64.0.11
address-pools value PSCU

Julio Carvajal · ‎11-02-2012

Hello Angelo,

Do that please It will be way faster to fix this,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

afanaras1961 · ‎11-04-2012

I upgraded the image to 8.2.(5) from 8.2.(2) since there was a known bug but the problem still persists. Clientless SSL vpn is working and passing traffic but not ipsek. When I connect with the cisco client ver. 5.0.07.0440 i can authenticate and the tunnel is up but I cannot do anything past that.

Julio Carvajal · ‎11-04-2012

Add and then give it a try

access-list inside_nat0_outbound line 1 permit ip 192.168.249.0 255.255.255.0 10.64.4.0 255.255.255.0

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎11-04-2012

Nat Traversal resolved the issue,

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

afanaras1961 · ‎11-04-2012

Yes that took care of it.

Thank you so much, what a headache, it was driving me crazy.

Awesome!!!

Julio Carvajal · ‎11-04-2012

Hello Angelo,

My pleasure

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC