03-17-2013 02:07 PM - edited 03-11-2019 06:15 PM
Hi All, I am new to ASA/Security world. I am trying to troubleshoot a problem where in one of my remote site is not able to access some networks at HQ over Site to SIte VPN ( asa 5505 at Remote and 5520 at HQ). I ran packet tracer and HQ ASA looks clean as everything came out as ALLOW. Remote site ASA packet tracer give me DROP out at Phase 9 (VPN). I am not very sure what to look in ASA for resolution now. Is it an access list that is blocking the traffice or VPN setup.. pls advise
output from remote ASA
Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xca3bba00, priority=70, domain=encrypt, deny=false
hits=22, user_data=0x0, cs_id=0xca523498, reverse, flags=0x0, protocol=0
src ip=Voice, mask=255.255.255.0, port=0
dst ip=192.168.0.0, mask=255.255.0.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
03-17-2013 02:09 PM
Are you using the same command on both units?
More importantly, have you checked the tunnel status? "show crypto isakmp sa"
03-17-2013 02:31 PM
yes tunnel is already up and working ..just trying to add another subnet..same command on both ends
03-17-2013 02:44 PM
You can't run the exact same command on both ends, you have to adap it to each ASA.
03-17-2013 05:12 PM
Hi Satish,
Lets do the following:
1- Is there a SA for this tunnel? Is Phase II up?
show crypto ipsec sa
2- According to that drop, the ASA is not encrypting the packet, probably because Phase II is not up at all, so there is not a valid SA for this traffic.
You could do the following:
clear crypto ipsec sa peer remote_peer_ip
debug crypto ipsec 190
Then try to send traffic across the tunnel.
Do you see any errors during the VPN connection? Do the proxy identities match? Does phase II come up?
Have you checked the Phase II settings on both units (transform-set, ACL and PFS)?
*Remember that the ACL should be a mirror of each other on the VPN peers, so:
LOCAL:
src ip=Voice, mask=255.255.255.0, port=0
dst ip=192.168.0.0, mask=255.255.0.0, port=0
REMOTE:
src ip=192.168.0.0, mask=255.255.0.0, port=0
dst ip= Voice, mask=255.255.255.0, port=0
Port 0 = IP
HTH.
Portu.
03-17-2013 05:15 PM
BTW, for further VPN posts, please use the VPN community
https://supportforums.cisco.com/community/netpro/security/vpn
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide