Re: Managing ASA over VPN

silric26227 · ‎01-20-2022

As the title says, I have a VPN ikev2 tunnel from a Fortigate to a Cisco ASA, but the snmp/ping anything doesnt work on the inside. Also I saw in Forti logging that the traffic is going over tunnel, but on the ASA I don't see any packets on sh cry ipsec sa peer. Both Forti and ASA seem to show the tunnel as being UP, on the Forti I have outgoing traffic but not incoming.

asa-odg-01# sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1

access-list outside_crypto extended permit ip 10.1.2.0 255.255.255.0 172.16.1.0 255.255.255.0
local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
current_peer: 2.2.2.2

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.1/500, remote crypto endpt.: 2.2.2.2/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A11CBE2B
current inbound spi : F97CF8EA

inbound esp sas:
spi: 0xF97CF8EA (4185716970)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (8500/3068)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xA11CBE2B (2703015467)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 4096, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (9400/3068)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

A packet capture on ASA shows the traffic coming in:

13: 06:35:46.540423 802.1Q vlan#2 P0 1.1.1.1 > 2.2.2.2: [|udp]
14: 06:35:46.549257 802.1Q vlan#2 P0 2.2.2.2.500 > 1.1.1.1.500: udp 80

Phase 2 is UP-active on Forti, i have traffic outgoing on the tunnel. On the ASA I have the management access inside command.

What is happening, why is ASA not responding, I cannot ping the inside interface or anything. Any commands that can help ?

Francesco Molino · ‎01-20-2022

Hi

can you share your asa configuration please?

You might be missing management-access command and/or a nat misconfiguration.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

silric26227 · ‎01-20-2022

I have attached the ASA file, I hope that's OK. Will also paste a bit more commands output here:

show crypto ikev2 sa

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:2

Tunnel-id Local Remote Status Role
160520829 1.1.1.1/500 2.2.2.2/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/22822 sec
Child sa: local selector 10.1.2.0/0 - 10.1.2.255/65535
remote selector 172.16.1.0/0 - 172.16.1.255/65535
ESP spi in/out: 0xczzz56e/0xzzz26d
Child sa: local selector 10.1.2.0/0 - 10.1.2.255/65535
remote selector 172.17.1.0/0 - 172.17.1.255/65535
ESP spi in/out: 0xbzzz063a/0xa1zzz251

I also start to think NAT is the culprit but the fact that sh cry ipsec sa peer shows no packets really confuses me. Im starting to think it might not work for ikev2 ?

silric26227 · ‎01-24-2022

Bump. Any ideas ? I did a packet tracer from an inside IP (lets say .3) to a destination over VPN and looks just fine. Did the same from the IP of the inside interface and it doesn't seem to be placed over VPN. I rechecked access lists and they look OK. what can it be the issue?

Rob Ingram · ‎01-24-2022

@silric26227 provide the output from packet-tracer and "show crypto ipsec sa".

Sheraz.Salim · ‎01-24-2022

Your configuration look solid in regards to site-to-site VPN and Nat. you said you can see the out going traffic on the Fortinet firewall and the tunnel phase 1 and phase 2 is up but there is not encap and decap on the ASA unit.

you also mentioned that you can see the outgoing traffic on the Fortinet firewall means its doing encap.

could you also confirm if you can ping to any network behind the ASA firewall from Fortinet. I also noted your ASA is responder where as you Fortinet is initiator.

please do not forget to rate.

Francesco Molino · ‎01-24-2022

The config looks ok in terms of nat and you have the management-access command. Your ssh allow list is correct as well.

can you share the output of: show run all sysopt

thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

silric26227 · ‎01-25-2022

# show run all sysopt
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp inside
no sysopt noproxyarp outside
no sysopt noproxyarp management

--------------------------------------------

sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1

access-list outside_VPN_crypto extended permit ip 10.1.2.0 255.255.255.0 172.17.1.0 255.255.255.0
local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.17.1.0/255.255.255.0/0/0)
current_peer: 2.2.2.2

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.1/500, remote crypto endpt.: 2.2.2.2/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A11FAC1C
current inbound spi : 1ADAF4AE

inbound esp sas:
spi: 0x1ADAF4AE (450557102)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 770048, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (9200/1878)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xA11FAC1C (2703207452)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 770048, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (9100/1878)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

-------------------------------------

No, I cannot ping any device behind the ASA from Forti, I have no encaps/decaps on ASA. I have done a packet tracer from a virtual .3 behind asa inside to the forti range and it did invoke VPN. That did not happen when I did it from .1 (the IP of the interface inside)

Francesco Molino · ‎01-25-2022

On the sh crypto we see the remote subnet 172.17.1.0 but the SSH is only for 172.16.1.0

Can you paste the whole output please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

silric26227 · ‎01-25-2022

Also, a capture on outside interface:

54: 02:40:03.962978 802.1Q vlan#2 P0 1.1.1.1 > 2.2.2.2: [|udp]
55: 02:40:03.971736 802.1Q vlan#2 P0 2.2.2.2.500 > 1.1.1.1.500: udp 80