05-11-2019 07:13 PM
Hello,
I am having a problem with IPsec VPN on ASA5525.
the issue is that even IPsec tunnel has been established, traffic from HQ (ASA5525) does not flow through ASA outside interface.
It seems that traffic from branch(Meraki) can go through HQ ASA and actually reach the HQ LAN PC.
I have set up IPsec VPN on another outside interface of this HQ ASA which basically uses same ACL and it worked fine but somehow I cannot make it work on this interface.
Lets say IP addresses for outside interfaces are these:
HQ outside interface IP: 62.1.1.1
Branch outside interface IP: 56.1.1.1
Capture of HQ ASA outside itnerface:
427: 10:21:53.229388 62.1.1.1.500 > 56.1.1.1.500: udp 92
428: 10:21:53.746192 56.1.1.1 > 62.1.1.1: ip-proto-50, length 100
429: 10:21:54.747626 56.1.1.1 > 62.1.1.1: ip-proto-50, length 100
430: 10:21:55.749122 56.1.1.1> 62.1.1.1: ip-proto-50, length 100
431: 10:21:57.747870 56.1.1.1 > 62.1.1.1: ip-proto-50, length 100
432: 10:21:57.747886 56.1.1.1 > 62.1.1.1: ip-proto-50, length 100
433: 10:21:57.762884 56.1.1.1 > 62.1.1.1: ip-proto-50, length 100
HQ LAN IP address: 192.168.1.51
Branch LAN IP address: 10.1.1.51
Capture of HQ ASA inside interface:
1: 10:50:47.292465 10.1.1.51 > 192.168.1.51: icmp: echo request
2: 10:50:47.294052 192.168.1.51 > 10.1.1.51: icmp: echo reply
3: 10:50:52.224231 10.1.1.51 > 192.168.1.51: icmp: echo request
4: 10:50:52.225925 192.168.1.51 > 10.1.1.51: icmp: echo reply
5: 10:50:57.227359 10.1.1.51 > 192.168.1.51: icmp: echo request
6: 10:50:57.228519 192.168.1.51 > 10.1.1.51: icmp: echo reply
7: 10:51:02.225848 10.1.1.51 > 192.168.1.51: icmp: echo request
8: 10:51:02.226947 192.168.1.51 > 10.1.1.51: icmp: echo reply
Here is show crypto ikev1 and ipsec sa:
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 56.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
interface: outside
access-list outside_cryptomap_3 extended permit ip "HQ_LAN" "Branch_LAN"
local ident (addr/mask/prot/port): ("HQ_LAN")
remote ident (addr/mask/prot/port): ("Branch_LAN")
current_peer: 56.1.1.1
#pkts encaps: 6145, #pkts encrypt: 6145, #pkts digest: 6145
#pkts decaps: 2900, #pkts decrypt: 2900, #pkts verify: 2900
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 6145, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
nat exemption is set above pat.
nat (inside,outside) source static VPN_TO_BRANCH_SOURCE_NETWORK VPN_TO_BRANCH_SOURCE_NETWORK destination static BRANCH_LOCAL_NETWORK BRANCH_LOCAL_NETWORK no-proxy-arp route-lookup
Since there is another outside interface as the gateway of last resort, I put static route for IPsec traffic shown as follow:
S 10.1.1.0 255.255.255.0 [1/0] via 62.1.1.2, outside
Solved! Go to Solution.
05-12-2019 11:25 PM
Sorry It seems that I just needed to re-establish ikev1 tunnel.... it is working fine now.
05-11-2019 09:33 PM
05-11-2019 11:20 PM
Hi Francesco,
Thanks for your reply.
I cannot post the result of command but the below command's result was all ALLOW.
I would like to set up VPN on "outside" interface which is my secondary internet connection.
Thank you.
05-11-2019 11:18 PM
Sorry I would like to correct one thing in the previous post.
the capture of HQ ASA outside interface was showing only one side traffic (Branch to HQ) was because I did not set a static route for Branch public IP. After setting up the static route I can see the traffic to both directions on the HQ ASA outside interface however the traffic from HQ LAN still cannot reach Branch network :(
05-12-2019 11:25 PM
Sorry It seems that I just needed to re-establish ikev1 tunnel.... it is working fine now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide