07-04-2017 09:02 AM - edited 03-12-2019 02:39 AM
Dears
my users from core are able to access the server which is on L2L VPN connection but users accessing from MPLS are not able to access.
How i can verify the return traffic from the server i am receiving or not for my MPLS users
07-04-2017 11:22 AM
Hi
There are multiple ways.
If you manage all firewall (both end) then you can use packet-tracer, look at asp vpn table and crypto IPSec to validate that traffic on both ASA is taking the VPN tunnel (on Firewall A to see that from firewall A the traffic is routed through L2L tunnel and on the other end that reply to MPLS is also going through the L2L). Here a document I made to help you with commands: https://supportforums.cisco.com/document/13299206/asa-how-troubleshoot-vpn-l2l-ensure-traffic-passing-through-vpn
On your ASAs, does your acl have multiple ace (lines: 1 for inside subnet and 1 for mpls subnets)? If yes, by issuing show crypto ipsec sa peer x.x.x.x you can see if you have encaps/decaps traffic for all ace. This will confirm that you have bi-directionnal communication.
If you suspect some drops, you have the logs, debugs and also the asp drop table.
You can also create a packet capture on ASA (wireshark) to see if traffic is flooding on both ways.
The issue could be rules (if sysopt connection permit-vpn isn't issued), nat,..
Maybe, if you share your config (by removing confidential data), we can help you to figure it out.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
07-04-2017 12:39 PM
Dear francesco
Please find the attached topology
On your ASAs, does your acl have multiple ace (lines: 1 for inside subnet and 1 for mpls subnets)? If yes, by issuing show crypto ipsec sa peer x.x.x.x you can see if you have encaps/decaps traffic for all ace. This will confirm that you have bi-directionnal communication.
If you suspect some drops, you have the logs, debugs and also the asp drop table.
You can also create a packet capture on ASA (wireshark) to see if traffic is flooding on both ways
ACL contains only 1 line
how i will know by packets encryption whose this traffic belongs to , means it belongs to MPLS or Internal ??
if i start packet capture on asa on inside interface for return traffic from server to MPLS users ,, i will be able to see the traffic ???
i will elaborate more on my configs
access-list VPN extended permit ip 172.16.4.0 255.255.255.0 10.10.30.0 255.255.255.0
object network obj-172.16.10.7
host 172.16.10.7
object network obj-172.16.10.7
nat (inside,outside) dynamic 172.16.4.7
crypto map VPN-TUNNEL 20 match address VPN
crypto map VPN-TUNNEL 20 set peer XX.XX.XX.XX
crypto map VPN-TUNNEL 20 set ikev1 transform-set crypto
crypto map VPN-TUNNEL 20 set security-association lifetime seconds 864000
crypto map VPN-TUNNEL 20 set reverse-route
07-04-2017 03:31 PM
Hi
I'm sorry but i don't understand your design.
Let me recap:
Asa vpn is the one mounting a L2L vpn with another end asa, right?
Asa vpn is doing a nat of a mpls host when reaching outside interface? Do you see your nat created on asa?
If you share your configs it will be easier.
Anyway, if you capture on the inside you'll be able to see the encrypted traffic.
You can also test your flow by using packet-tracer with detail keyword to see all information. This will show you the packet when it arrives to asa, nat and forwarded to the vpn.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide