11-02-2012 08:05 AM - edited 03-11-2019 05:18 PM
We just migrated from a single 5510 to a dual (failover) 5520, It seems that everything is working except the remote VPN. We can establish a tunnel and authenticate as local users, (going to LDAP when all is working) but no traffic is passing. I know I am overlooking something but cant see it.
Hope somebody might have an idea on what I need to do.
Thanks
Result of the command: "show cry ipsec sa"
interface: outside
Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 209.155.149.122
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.64.4.100/255.255.255.255/0/0)
current_peer: 74.94.229.238, username: afanaras
dynamic allocated peer ip: 10.64.4.100
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1733, #pkts decrypt: 1733, #pkts verify: 1733
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 209.155.149.122, remote crypto endpt.: 74.94.229.238
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 048CF11B
current inbound spi : 260FEA7B
inbound esp sas:
spi: 0x260FEA7B (638577275)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 217088, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 24094
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x048CF11B (76345627)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Tunnel, }
slot: 0, conn_id: 217088, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP
sa timing: remaining key lifetime (sec): 24094
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Solved! Go to Solution.
11-04-2012 11:46 AM
Nat Traversal resolved the issue,
Regards
11-02-2012 10:14 AM
Hello Angelo,
Please provide the show run NAT,
Regards,
Julio
11-02-2012 11:20 AM
Hi Julio
this is what i get:
Result of the command: "show run nat"
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
11-02-2012 11:22 AM
Hello,
Can you share the access-list inside_nat_0_outbund
Also can you let me know what is the subnet behind the other ASA or VPN tunnel endpoint?
Regards,
11-02-2012 11:36 AM
The other end is a cisco client from a laptop, the ASA subnet outside is 255.255.255.248
the access list has all of our network as you can see
access-list inside_nat0_outbound; 358 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip Romulus-Internal 255.255.255.0 host 192.0.101.31 (hitcnt=0) 0xbe9f54ae
access-list inside_nat0_outbound line 2 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6 0x71e1e20d
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Romulus-Internal 255.255.255.0 (hitcnt=0) 0xbb6a746c
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Millender-Internal 255.255.255.0 (hitcnt=0) 0x6e2d0535
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 WCCCD-Internal 255.255.255.0 (hitcnt=0) 0x27acd775
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Sumpter-Internal 255.255.255.0 (hitcnt=0) 0x52aa2d76
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 FocusHope-Internal 255.255.255.0 (hitcnt=0) 0x0d958156
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Cadillac-Internal 255.255.255.0 (hitcnt=0) 0xc1cfceea
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Colo-Internal 255.255.255.0 (hitcnt=0) 0xc51970cd
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Romulus-VOIP 255.255.255.0 (hitcnt=0) 0x980f49c6
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 FocusHope-VOIP 255.255.255.0 (hitcnt=0) 0xc5044452
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Cadillac-VOIP 255.255.255.0 (hitcnt=0) 0x9f9536d2
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 WCCCD-VOIP 255.255.255.0 (hitcnt=0) 0x8090481c
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Millender-VOIP 255.255.255.0 (hitcnt=0) 0x2406880a
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Sumpter-VOIP 255.255.255.0 (hitcnt=0) 0x5a6618ea
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 Colo-VOIP 255.255.255.0 (hitcnt=0) 0xb5bd2bab
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 MobileBranch 255.255.255.0 (hitcnt=0) 0xa60b700d
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 SegMobile 255.255.255.0 (hitcnt=0) 0x08829018
access-list inside_nat0_outbound line 2 extended permit ip Romulus-Internal 255.255.255.0 192.168.249.0 255.255.255.0 (hitcnt=0) 0x3ffb9705
access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Romulus-Internal 255.255.255.0 (hitcnt=0) 0xa3a6016b
access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Millender-Internal 255.255.255.0 (hitcnt=0) 0x9acc25ca
access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 WCCCD-Internal 255.255.255.0 (hitcnt=0) 0x1a28fdba
access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Sumpter-Internal 255.255.255.0 (hitcnt=0) 0x3f664036
access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 FocusHope-Internal 255.255.255.0 (hitcnt=0) 0x818eb99c
access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Cadillac-Internal 255.255.255.0 (hitcnt=0) 0x15480008
access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Colo-Internal 255.255.255.0 (hitcnt=0) 0x64e2113a
access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Romulus-VOIP 255.255.255.0 (hitcnt=0) 0x7b54786e
access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 FocusHope-VOIP 255.255.255.0 (hitcnt=0) 0x69d4019a
access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Cadillac-VOIP 255.255.255.0 (hitcnt=0) 0x303641bd
access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 WCCCD-VOIP 255.255.255.0 (hitcnt=0) 0x30b2a77d
access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Millender-VOIP 255.255.255.0 (hitcnt=0) 0x1cb9e2e0
access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Sumpter-VOIP 255.255.255.0 (hitcnt=0) 0x7608782a
access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 Colo-VOIP 255.255.255.0 (hitcnt=0) 0x23b05d7d
access-list inside_nat0_outbound line 2 extended permit ip Millender-Internal 255.255.255.0 MobileBranch 255.255.255.0 (hitcnt=0) 0x5c2eb431
+ the rest of the networks
11-02-2012 11:43 AM
Hello Angelo,
Okay got what you mean,
So I will need the show run ip local pool
and the group policy used for the tunnel-group this remote clients are connecting from
Then I will be able to determine if it's a split tunnel or NAT issue,
Regards
11-02-2012 11:53 AM
I can email you on your hotmail account the running config if that helps!
Result of the command: "show run ip local pool"
ip local pool PSCU 10.64.4.100-10.64.4.150 mask 255.255.255.0
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server value 10.64.0.11
dns-server value 10.64.0.11 10.64.4.21
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PSCU_Internal
default-domain none
split-dns value 10.64.0.11
address-pools value PSCU group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server value 10.64.0.11
dns-server value 10.64.0.11 10.64.4.21
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value PSCU_Internal
default-domain none
split-dns value 10.64.0.11
address-pools value PSCU
11-02-2012 11:55 AM
Hello Angelo,
Do that please It will be way faster to fix this,
Regards,
Julio
11-04-2012 06:53 AM
I upgraded the image to 8.2.(5) from 8.2.(2) since there was a known bug but the problem still persists. Clientless SSL vpn is working and passing traffic but not ipsek. When I connect with the cisco client ver. 5.0.07.0440 i can authenticate and the tunnel is up but I cannot do anything past that.
11-04-2012 10:11 AM
Add and then give it a try
access-list inside_nat0_outbound line 1 permit ip 192.168.249.0 255.255.255.0 10.64.4.0 255.255.255.0
Regards,
11-04-2012 11:46 AM
Nat Traversal resolved the issue,
Regards
11-04-2012 12:25 PM
Yes that took care of it.
Thank you so much, what a headache, it was driving me crazy.
Awesome!!!
11-04-2012 12:58 PM
Hello Angelo,
My pleasure
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide