Re: ikev2 ASA is receving packets but not transmitting

mahesh18 · ‎04-01-2018

Hi Everyone,

Cisco ASA has Ikev2 tunnel to PAlo alto firewall.

ASA is receving packets but no transmits

show vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : 184.71.194.134
Index : 36 IP Addr : 184.71.194.134
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (1)AES256
Hashing : IKEv2: (1)MD5 IPsec: (1)MD5
Bytes Tx : 0 Bytes Rx : 632036
Login Time : 21:28:15 MST Sat Mar 31 2018
Duration : 10h:55m:31s

---------------

show crypto ipsec sa peer 184.71.194.134
peer address: 184.71.194.134
Crypto map tag: outside_map4, seq num: 1, local addr: 70.75.44.116

access-list outside_cryptomap extended permit ip 10.0.0.0 255.255.255.0 10.1.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer: 184.71.194.134

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 13953, #pkts decrypt: 13953, #pkts verify: 13953
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 70.75.44.116/500, remote crypto endpt.: 184.71.194.134/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: DDB18A07
current inbound spi : B2B0C9D9

inbound esp sas:
spi: 0xB2B0C9D9 (2997930457)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 20, IKEv2, }
slot: 0, conn_id: 147456, crypto-map: outside_map4
sa timing: remaining key lifetime (kB/sec): (3916684/83755)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xDDB18A07 (3719399943)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 20, IKEv2, }
slot: 0, conn_id: 147456, crypto-map: outside_map4
sa timing: remaining key lifetime (kB/sec): (4147200/83754)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Regards

MAhesh

Rob Ingram · ‎04-01-2018

Hi,

Do you have the ACL for interesting traffic correctly configured on both firewalls?

Do you have a NAT rule on your ASA to not nat traffic destined for the PA VPN tunnel?

Can you run packet tracer and upload the output?

mahesh18 · ‎04-01-2018

Yes ACL is correct.

NAT bypass is there.

Here is packet tracer

packet-tracer input inside icmp 10.0.0.3 8 0 10.1.20$

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static inside inside destination static inside inside
Additional Information:
NAT divert to egress interface outside
Untranslate 10.1.20.1/0 to 10.1.20.1/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit icmp object-group inside any
object-group network inside
network-object 10.0.0.0 255.255.255.0
network-object 192.168.50.0 255.255.255.0
network-object 10.1.0.0 255.255.0.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc1c9890, priority=13, domain=permit, deny=false
hits=313, user_data=0xca10b2c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=10.0.0.0, mask=255.255.255.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 3
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccb0f0c8, priority=7, domain=conn-set, deny=false
hits=7819, user_data=0xccb0e618, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static inside inside destination static inside inside
Additional Information:
Static translate 10.0.0.3/0 to 10.0.0.3/0
Forward Flow based lookup yields rule:
in id=0xcc1ab5d8, priority=6, domain=nat, deny=false
hits=88, user_data=0xcbab81d0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.1.0.0, mask=255.255.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcba20c80, priority=0, domain=nat-per-session, deny=true
hits=41109, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc0e9420, priority=0, domain=inspect-ip-options, deny=true
hits=26881, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xccb0c608, priority=70, domain=inspect-icmp, deny=false
hits=315, user_data=0xccb0bb30, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc0e8f20, priority=66, domain=inspect-icmp-error, deny=false
hits=439, user_data=0xcc0e8530, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xc86e70a0, priority=70, domain=encrypt, deny=false
hits=2811, user_data=0xb584, cs_id=0xcca47668, reverse, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.1.0.0, mask=255.255.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static inside inside destination static inside inside
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcc0e9b58, priority=6, domain=nat-reverse, deny=false
hits=89, user_data=0xcc184128, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.1.0.0, mask=255.255.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 11
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xc86e7c90, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=2804, user_data=0x10864, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.1.0.0, mask=255.255.0.0, port=0, tag=0
dst ip/id=10.0.0.0, mask=255.255.255.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcba20c80, priority=0, domain=nat-per-session, deny=true
hits=41111, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xcc112000, priority=0, domain=inspect-ip-options, deny=true
hits=26762, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 27396, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Rob Ingram · ‎04-01-2018

Please upload your config

mahesh18 · ‎04-01-2018

here is config.

Rob Ingram · ‎04-01-2018

Can you help me understand your configuration. You run the following packet trace

packet-tracer input inside icmp 10.0.0.3 8 0 10.1.20$

Which would imply 10.0.0.3 was on the inside of your network and 10.1.20.x was on the end of the VPN. The running config shows vlan1 is 10.0.0.x network and defined as INSIDE.

interface Vlan1
nameif inside
security-level 53
ip address 10.0.0.1 255.255.255.0 standby 10.0.0.2

But you have a static route to route 10.1.0.0 255.255.0.0 INSIDE
route inside 10.1.0.0 255.255.0.0 10.0.0.4 1

Have I misinterpreted your configuration? The network 10.1.0.0 255.255.0.0 can't be on the inside if you want to access it over the VPN.

mahesh18 · ‎04-01-2018

that static route is justbackdoor entry.

it was working fine till yesterday nothing changed.

Rob Ingram · ‎04-01-2018

Traceroute from a PC on the inside network, which route does it attempt to go? via the backdoor route or the VPN tunnel?

Try turning on "debug icmp trace" and reviewing the output

Does traffic go over the VPN tunnel if you temporarily remove the static route?

mahesh18 · ‎04-01-2018

seems rebooting the ASA fixed the issue.

May thanks for your help

MAhesh