ASA Crypto maps and ASDM

Tracey Foster · ‎07-29-2013

Hello all,

I have a number of problems.

First, attached are 2 different config files.

First one is from a running system that works, FP1-NNTL, however, the crytpo map for the dynamic are not working properly and if I go to add another site-2-site tunnel group that uses "outside_map" crypto map, it won't work. It won't work because of the crypto map that is assigned to the outside interface is not the "outside_map" it is "Mobile" Mobile is my attempt at getting cellphone with native VPN to work. Additionally, "outside_map" to interface outside verses "Mobile" also drop my ASDM nad telnet connectivity--see below.

This brings me to the second issue, can't seem to get the dynamic crypto map to work propery under the "outside_map". I know that I have to have the dynamic mode set to "transport" for the cell phone VPN's to work at all. Any pointers on how to fix this would be great.

The second attached file is from a tabletop box. Same configuration as the NNTL, but can't seem to get ASDM or telnet to work consistantly. I also know that is is because of the crytpo map to outside interface as when I change it from "outside_map" to "Mobile" it works, but when I switch it, it does not work.

I am fairly new at this ASA stuff and having to deal with a hug configuration that I didn't put together is over-whelming.

Any assistance from anyone is greatly appreciated.

Both boxes are on IOS 9.

Thanks,

Tracey

Tracey Foster · ‎07-30-2013

Additionally, from the CLI I turned on capture for all acl-drop. I have a ping going from one side of the site-2-site VPN to the other side and it is dropping. The capture tells me it is dropping because of an ACL. But doesn't tell me which ACL.

I am using the tunnel-group 65.246.21.12, which uses the group-policy W-NOC for this interface. the policy does not have a vpn-filter assinged to it. So now I am digging to try and figure out which ACL is dropping this connectivity.

Tracey Foster · ‎07-31-2013

From the outside ASA, I ran packet tracer on the outside interface, icmp, source 10.255.255.1, dest 192.168.50.10. I receive a packet drop, and the erros is (rpf-violated) Reverse-path verify failed. I remove the line from the config, and now get dropped packet because of ACL, but it still doen't tell me which acl.

I also verified with production system and get same error.

Tracey Foster · ‎08-13-2013

I have found to problem. Seems that the VPN filter for a different VPN was interferring with the VPN that I was focused on and the one that I was using to connect to the device.

In the end, object group R-NOC-Inside had a object network 192.168.50.0 with in it. I removed it and sure enough I could connect.

Still working on full testing, but I am pretty sure this is the fix.