Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2016
Views
0
Helpful
4
Replies

Outgoing IPsec VPN traffic does not flow through ASA 5525

Go to solution
Tats0611
Level 1
Level 1

‎05-11-2019 07:13 PM

Hello,

 

I am having a problem with IPsec VPN on ASA5525.

 

the issue is that even IPsec tunnel has been established, traffic from HQ (ASA5525) does not flow through ASA outside interface.

It seems that traffic from branch(Meraki) can go through HQ ASA and actually reach the HQ LAN PC.

 

I have set up IPsec VPN on another outside interface of this HQ ASA which basically uses same ACL and it worked fine but somehow I cannot make it work on this interface.

 

Lets say IP addresses for outside interfaces are these:

HQ outside interface IP: 62.1.1.1

Branch outside interface IP: 56.1.1.1

 

Capture of HQ ASA outside itnerface:

427: 10:21:53.229388 62.1.1.1.500 > 56.1.1.1.500: udp 92
428: 10:21:53.746192 56.1.1.1 > 62.1.1.1: ip-proto-50, length 100

429: 10:21:54.747626 56.1.1.1 > 62.1.1.1: ip-proto-50, length 100
430: 10:21:55.749122 56.1.1.1> 62.1.1.1: ip-proto-50, length 100
431: 10:21:57.747870 56.1.1.1 > 62.1.1.1: ip-proto-50, length 100
432: 10:21:57.747886 56.1.1.1 > 62.1.1.1: ip-proto-50, length 100
433: 10:21:57.762884 56.1.1.1 > 62.1.1.1: ip-proto-50, length 100

 

 

HQ LAN IP address: 192.168.1.51

Branch LAN IP address: 10.1.1.51

Capture of HQ ASA inside interface:

1: 10:50:47.292465 10.1.1.51 > 192.168.1.51: icmp: echo request
2: 10:50:47.294052 192.168.1.51 > 10.1.1.51: icmp: echo reply
3: 10:50:52.224231 10.1.1.51 > 192.168.1.51: icmp: echo request
4: 10:50:52.225925 192.168.1.51 > 10.1.1.51: icmp: echo reply
5: 10:50:57.227359 10.1.1.51 > 192.168.1.51: icmp: echo request
6: 10:50:57.228519 192.168.1.51 > 10.1.1.51: icmp: echo reply
7: 10:51:02.225848 10.1.1.51 > 192.168.1.51: icmp: echo request
8: 10:51:02.226947 192.168.1.51 > 10.1.1.51: icmp: echo reply

 

Here is show crypto ikev1 and ipsec sa:

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 56.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

 

interface: outside

access-list outside_cryptomap_3 extended permit ip "HQ_LAN" "Branch_LAN"
local ident (addr/mask/prot/port): ("HQ_LAN")
remote ident (addr/mask/prot/port): ("Branch_LAN")
current_peer: 56.1.1.1


#pkts encaps: 6145, #pkts encrypt: 6145, #pkts digest: 6145
#pkts decaps: 2900, #pkts decrypt: 2900, #pkts verify: 2900
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 6145, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

 

nat exemption is set above pat.

nat (inside,outside) source static VPN_TO_BRANCH_SOURCE_NETWORK VPN_TO_BRANCH_SOURCE_NETWORK destination static BRANCH_LOCAL_NETWORK BRANCH_LOCAL_NETWORK no-proxy-arp route-lookup

 

Since there is another outside interface as the gateway of last resort, I put static route for IPsec traffic shown as follow:

S 10.1.1.0 255.255.255.0 [1/0] via 62.1.1.2, outside

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tats0611
Level 1
Level 1

‎05-12-2019 11:25 PM

Sorry It seems that I just needed to re-establish ikev1 tunnel.... it is working fine now.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎05-11-2019 09:33 PM

Hi

The interface named outside is the 2nd interface you're referring to on which you want to use vpn?

Can you run the following command and share the output:
packet-tracer input inside icmp 192.168.1.51 8 0 10.1.1.51 details

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Tats0611
Level 1
Level 1
In response to Francesco Molino

‎05-11-2019 11:20 PM

Hi Francesco,

 

Thanks for your reply.

I cannot post the result of command but the below command's result was all ALLOW. 

 

I would like to set up VPN on "outside" interface which is my secondary internet connection.

 

Thank you.

 

0 Helpful

Go to solution
Tats0611
Level 1
Level 1

‎05-11-2019 11:18 PM

Sorry I would like to correct one thing in the previous post.

 

the capture of HQ ASA outside interface was showing only one side traffic (Branch to HQ) was because I did not set a static route for Branch public IP. After setting up the static route I can see the traffic to both directions on the HQ ASA outside interface however the traffic from HQ LAN still cannot reach Branch network :(

 

0 Helpful

Go to solution
Tats0611
Level 1
Level 1

‎05-12-2019 11:25 PM

Sorry It seems that I just needed to re-establish ikev1 tunnel.... it is working fine now.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card