ICMP echo-reply packets being dropped

travisbullock1 · ‎01-23-2015

I've got a 5505 connected to Amazon VPC, and it works, but the VPN is flapping because replies to SLA monitor echos are being dropped by the ASA. I can see the echo-replys going out from my Amazon instance, but the SLA monitor never gets them. I can't figure out what is wrong with my config, if anything.

The network is Clients -> ASA -> Comcast Gateway in Bridge Mode -> Amazon VPC

Config:

ASA Version 9.0(1)

interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 162.17.xx.xx 255.255.255.252
!
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network comcast-gw
host 162.17.yy.yy
object network amzn-vpn-1
host 72.21...
object network amzn-vpn-2
host 72.21...
object network asa5505
host 162.17.xx.xx
object network inside-network
subnet 192.168.2.0 255.255.255.0
object network outside-network
subnet 162.17.xx.xx-1 255.255.255.252
object network amzn-vpc
subnet 10.0.0.0 255.255.0.0
access-list amzn_vpn_in extended permit ip object amzn-vpn-1 object asa5505
access-list amzn_vpn_in extended permit ip object amzn-vpn-2 object asa5505
access-list amzn_out extended permit ip any4 object amzn-vpc
access-list amzn_in extended permit ip object amzn-vpc object inside-network
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-network inside-network destination static amzn-vpc amzn-vpc no-proxy-arp route-lookup
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 162.17.yy.yy 1
sla monitor 1
type echo protocol ipIcmpEcho 10.0.1.84 interface outside
frequency 5
sla monitor schedule 1 life forever start-time now
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto map amzn_vpn_map 1 match address amzn_out
crypto map amzn_vpn_map 1 set pfs
crypto map amzn_vpn_map 1 set peer 72.21... 72.21...
crypto map amzn_vpn_map 1 set ikev1 transform-set transform-amzn
crypto map amzn_vpn_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca …
…
quit
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
group-policy filter internal
group-policy filter attributes
vpn-filter value amzn_in
tunnel-group 72.21... type ipsec-l2l
tunnel-group 72.21... general-attributes
default-group-policy filter
tunnel-group 72.21... ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 3
tunnel-group 72.21... type ipsec-l2l
tunnel-group 72.21... general-attributes
default-group-policy filter
tunnel-group 72.21... ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 3
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global

Julio Carvajal · ‎01-24-2015

Hello,

I have implemented many VPCs between Cisco ASAs and the Amazon Cloud and I have always bypassed the SLA configuration.

I know it's in the Amazon Document they gave you but it's not required and most important, the config most of the time does not include in the Crypto ACL the Outside Interface IP address of the ASA (This will need to be on both sides). In your case the ASA Config is good for this as you are using the any4 keyword.

I would rely entirely on something different for the VPN monitoring as DPD and KeepAlives for the VPN tunnel.

If you really want to leave the configuration the way it is provide us the logs errors.

I hope this makes sense to you.

Regards,

Jcarvaja
Senior Network Security and Core Specialist
CCIE #42930, 2-CCNP, JNCIS-SEC
For inmediate assistance hire us at http://i-networks.us/payment

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

travisbullock1 · ‎01-26-2015

Thanks for the feedback Julio. I would like to use the built-in SLA Monitor instead of setting up a dedicated separate box. This feature on the ASA is intended for this purpose right?

There are no errors, but as I mentioned the echo-reply, which *is* being sent by the Amazon instance I set up, isn't captured by the sla monitor:

ciscoasa# show sla monitor operational-state

Entry number: 1

Modification time: 20:24:16.154 UTC Fri Jan 23 2015

Number of Octets Used by this Entry: 1480

Number of operations attempted: 25595

Number of operations skipped: 25595

Current seconds left in Life: Forever

Operational state of entry: Active

Last time this entry was reset: Never

Connection loss occurred: FALSE

Timeout occurred: TRUE

Over thresholds occurred: FALSE

Latest RTT (milliseconds): NoConnection/Busy/Timeout

Latest operation start time: 19:29:46.167 UTC Mon Jan 26 2015

Latest operation return code: Timeout

RTT Values:

RTTAvg: 0 RTTMin: 0 RTTMax: 0

NumOfRTT: 0 RTTSum: 0 RTTSum2: 0

Julio Carvajal · ‎01-26-2015

Hello,

I never mentioned to use a different box, Using DPD and VPN Keepalives will be in the ASA as well but done at the IPSec level (which is what you are using to establish the VPN).

No need to use the IP SLA feature as it's just more overhead when you actually dont need it.

I will need to see the Amazon Instance Config, basically make sure that Traffic to the Outside Interface of your firewall is being encrypted when the source is on the Amazon Side.

That does not makes sense to me as you could use other features but if you still want to go with it. Check that.

PD: The ASA is not dropping any packets, it's just not getting any replies.

Make sure you rate all of my answers.

Regards,

Jcarvaja

Senior Network Security and Core Specialist
CCIE #42930, 2-CCNP, JNCIS-SEC
For inmediate assistance hire us at http://i-networks.us/paymen

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

travisbullock1 · ‎01-26-2015

OK, what config do you mean? I did not configure the Amazon instance; it is simply a normal instance with a security group that allows traffic from my local subnets and to anything.

Julio Carvajal · ‎01-26-2015

Remove the IP SLA configuration from the ASA.

no sla monitor schedule 1 life forever start-time now

no sla monitor 1

You already have enabled DPD so you should be good to go.

Let me know if afterwards the VPN is up and of course if you understand why we are doing this.

Regards

Make sure you rate all of my answers.

Regards,

Jcarvaja

Senior Network Security and Core Specialist
CCIE #42930, 2-CCNP, JNCIS-SEC
For inmediate assistance hire us at http://i-networks.us/payment

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

travisbullock1 · ‎01-26-2015

OK, I don't understand how removing SLA will prevent my VPN from flapping every 20-30 minutes. I did remove it, but within a few minutes I get log errors as always as DPD loses service:

3 Jan 26 2015 20:19:04 713123 Group = 72.21.xxx.xxx, IP = 72.21.xxxxxx, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

5 Jan 26 2015 20:19:04 713259 Group = 72.21.xxx.xxx, IP = 72.21.xxxxxx, Session is being torn down. Reason: Lost Service

Julio Carvajal · ‎01-26-2015

Well, why did you not mentioned that in the post instead of blaming the SLA Process?

"but the VPN is flapping because replies to SLA monitor echos are being dropped by the ASA"

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

travisbullock1 · ‎01-26-2015

According to a support engineer at Amazon who looked at my config and error logs, *if* SLA was receiving echo replies then I would not be having issues with my connection. Are you saying that isn't true? More importantly, do you have any suggestions to change my config that will actually help me?

Thanks