Re: Dynamic IPSEC VPN Tunnel does not encapsulate any packets

Edward E. · ‎04-23-2020

Hello Community,

I am experiencing a strange behavior with a Dynamic IPSEC VPN Tunnel between an ASA and a IOS router,

Both ph1 and ph2 are successful. When I try to ping a local resource in either directions, packets go through the tunnel, decapsulated on the other end but the replies do not go back through tunnel.

Any Idea what could the root cause of this behavior? I tried to configure a regular L2L IPSEC tunnel (not dynamic) and ping works fine, but since the router's public IP can change, I have to use a Dynamic Cryptomap.

ACL and Routing is correctly configured (since the regular IPSEC tunnel worked fine), I have a doubt that I am missing something in the Dynamic Cryptomap configuration, this is what I configured on the ASA:

crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map OUTSIDE_DYN_MAP 1 match address ACL-VPN
crypto dynamic-map OUTSIDE_DYN_MAP 1 set pfs
crypto dynamic-map OUTSIDE_DYN_MAP 1 set ikev1 transform-set ESP-AES256-SHA1 ESP-AES128-SHA1
crypto dynamic-map OUTSIDE_DYN_MAP 1 set security-association lifetime seconds 3600
crypto dynamic-map OUTSIDE_DYN_MAP 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map OUTSIDE_DYN_MAP 1 set reverse-route
crypto map CRYPTO-MAP-VPNS 1 ipsec-isakmp dynamic OUTSIDE_DYN_MAP
crypto map CRYPTO-MAP-VPNS interface INTERNET

Group policiy configuration on ASA:

group-policy GP internal
group-policy GP attributes
vpn-filter value ACL-VPN
vpn-tunnel-protocol ikev1
tunnel-group DynamicSite2Site type ipsec-l2l
tunnel-group DynamicSite2Site general-attributes
default-group-policy GP
tunnel-group DynamicSite2Site ipsec-attributes
ikev1 pre-shared-key *****

On cisco router:

crypto isakmp peer address <ASA_PUB_IP>
set aggressive-mode password ****
set aggressive-mode client-endpoint fqdn DynamicSite2Site
!
!
crypto ipsec transform-set ESP-AES128-SHA1 esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map ToASA 10 ipsec-isakmp
set peer <ASA_PUB_IP>
set transform-set ESP-AES128-SHA1
set pfs group2
match address ACL-VPN

Any ideas? This is really unusual...

sh crypto ipsec output after pinging from IOS to ASA:

peer address: <IOS_PUB_IP>
Crypto map tag: OUTSIDE_DYN_MAP, seq num: 1, local addr: <ASA_PUB_IP>

access-list ACL-VPN extended permit ...
local ident (addr/mask/prot/port): <ping_destination>
remote ident (addr/mask/prot/port): <ping_source>
current_peer: <IOS_PUB_IP>


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: <ASA_PUB_IP>/4500, remote crypto endpt.: <IOS_PUB_IP>/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 0DEBD4BA
current inbound spi : 579400FD

inbound esp sas:
spi: 0x579400FD (1469317373)
SA State: active
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 216276992, crypto-map: OUTSIDE_DYN_MAP
sa timing: remaining key lifetime (kB/sec): (4373997/2429)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x01FFFFFF
outbound esp sas:
spi: 0x0DEBD4BA (233559226)
SA State: active
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv1, }
slot: 0, conn_id: 216276992, crypto-map: OUTSIDE_DYN_MAP
sa timing: remaining key lifetime (kB/sec): (4374000/2429)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Sheraz.Salim · ‎04-23-2020

seem like your router received the traffic from the ASA and decap it but somehow router is not doing encap. could be a routing issue on router.

could you share the config of router.

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24

please do not forget to rate.

Edward E. · ‎04-23-2020

Actually that's the output on ASA, ICMP requests are received on the ASA but the replies are not sent to the router via the Tunnel. For information, I am pinging a local interface on the ASA from the router (no routing needed). This is the output on the router:


interface: FastEthernet4
Crypto map tag: ToASA, local addr 192.168.1.2



protected vrf: (none)
local ident (addr/mask/prot/port): <same-ping-source>
remote ident (addr/mask/prot/port): <same-ping-destination>
current_peer <ASA_PUB_IP> port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.1.2, remote crypto endpt.: <ASA_PUB_IP>
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x56B6BB01(1454816001)
PFS (Y/N): Y, DH group: group2

inbound esp sas:
spi: 0xD883140D(3632469005)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 33, flow_id: Onboard VPN:33, sibling_flags 80004040, crypto map: ToASA
sa timing: remaining key lifetime (k/sec): (4177391/3371)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x56B6BB01(1454816001)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 34, flow_id: Onboard VPN:34, sibling_flags 80004040, crypto map: ToASA
sa timing: remaining key lifetime (k/sec): (4177390/3371)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Rob Ingram · ‎04-23-2020

@Edward E. wrote:
I am pinging a local interface on the ASA from the router (no routing needed). This is the output on the router:

If you are pinging an ASA interface over a VPN tunnel you will need the command management-access <interface-name>

Normally you'd test by sending traffic through the ASA....ensure you have NAT exemption rules in place if you have issues.

HTH

Edward E. · ‎04-24-2020

I generated traffic from the remote site to the ASA as you suggested and I still have the same issue, No packets are encrypted from ASA to IOS. The traffic doesn't even get routed to the correct VRF even though the routing is ok. I saw something unusual on the logs:

Apr 24 2020 10:55:51: %ASA-7-609001: Built local-host INTERNET:<local_ios_ip>
Apr 24 2020 10:55:51: %ASA-7-609001: Built local-host INTERCO_ACCESS:<resource_behind_ASA>
Apr 24 2020 10:55:51: %ASA-7-609002: Teardown local-host INTERNET:<local_ios_ip> duration 0:00:00
Apr 24 2020 10:55:51: %ASA-7-609002: Teardown local-host INTERCO_ACCESS:<resource_behind_ASA> duration 0:00:00
Apr 24 2020 10:55:53: %ASA-7-609001: Built local-host INTERNET:<local_ios_ip>
Apr 24 2020 10:55:53: %ASA-7-609001: Built local-host INTERCO_ACCESS:<resource_behind_ASA>
Apr 24 2020 10:55:53: %ASA-7-609002: Teardown local-host INTERNET:<local_ios_ip> duration 0:00:00
Apr 24 2020 10:55:53: %ASA-7-609002: Teardown local-host INTERCO_ACCESS:<resource_behind_ASA> duration 0:00:00

Packets are instantly torn down.

Edward E. · ‎04-24-2020

After some debugging, I noticed that the icmp packets are filtered on the asa by an ACL:

1: 08:05:02.358669 <remote_ios-ip> > <local_asa-ip>: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
2: 08:05:04.354214 <remote_ios-ip> > <local_asa-ip>: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
3: 08:05:06.354641 <remote_ios-ip> > <local_asa-ip>: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule

For the dynamic VPN, i tries to remove remote/local ACLs to to see if it works but I still see these drops.

Sheraz.Salim · ‎04-24-2020

could you add this command and test it

policy-map global_policy
  inspect icmp
  inspect icmp error

please do not forget to rate.

Edward E. · ‎04-24-2020

I added the command, I don't see the drops anymore in the logs, but there are no icmp replies either. sh crypto ipsec always shows 0 packets encrypted and all traffic (icmp and the other traffic that I generated) is being torn down in the ASA:

Apr 24 2020 12:16:37: %ASA-7-609002: Teardown local-host INTERNET:<ping_source_ip> duration 0:00:00
Apr 24 2020 12:16:37: %ASA-7-609002: Teardown local-host INTERCO_ACCESS:<ping_dest_ip> duration 0:00:00
Apr 24 2020 12:16:44: %ASA-7-609001: Built local-host INTERNET:<ping_source_ip>
Apr 24 2020 12:16:44: %ASA-7-609001: Built local-host INTERCO_ACCESS:<ping_dest_ip>
Apr 24 2020 12:16:44: %ASA-7-609002: Teardown local-host INTERNET:<ping_source_ip> duration 0:00:00
Apr 24 2020 12:16:44: %ASA-7-609002: Teardown local-host INTERCO_ACCESS:<ping_dest_ip> duration 0:00:00
Apr 24 2020 12:16:46: %ASA-7-609001: Built local-host INTERNET:<ping_source_ip>
Apr 24 2020 12:16:46: %ASA-7-609001: Built local-host INTERCO_ACCESS:<ping_dest_ip>
Apr 24 2020 12:16:46: %ASA-7-609002: Teardown local-host INTERNET:<ping_source_ip> duration 0:00:00
Apr 24 2020 12:16:46: %ASA-7-609002: Teardown local-host INTERCO_ACCESS:<ping_dest_ip> duration 0:00:00