Solved: Remote Access VPN and Site to Site VPN Issue...

Janardhan Meesala · ‎02-03-2011

Hi ,

I have ASA 5505 with base license and IOS version is 7.2(4). I configured both site to site vpn and Remote Access VPN. Site to Site VPN is working fine and also Remote access vpn tunnel came up, remote user got IP address from the firewall.

But the problem is remote user unable to ping the local users.

While watcing the logs it shows: " IKE initiator unable to find the policy: Src "

Below i am attaching the configuration of my firewall.

your response was appreciated....

Regards,

Janardhan

manish arora · ‎02-04-2011

Hi Janardhan,

Create an access list for site to site crypto traffic :-

access-list crypto_one extended permit ip 192.168.8.0 255.255.255.0 192.168.0.0 255.255.252.0

Then change :-

crypto map abcmap 1 match address nonat
crypto map abcmap 1 set peer X.X.X.X
crypto map abcmap 1 set transform-set FirstSet

to :-

crypto map abcmap 1 match address crypto_one
crypto map abcmap 1 set peer X.X.X.X
crypto map abcmap 1 set transform-set FirstSet

reply the crypto Map , this will cause a little blip in the site to site , so make sure you do it with little downtime.

Keep everything else the same and Let us know if this works for you.

Manish

View solution in original post

manish arora · ‎02-05-2011

Hi ,

Create an access list for site to site crypto traffic :-

access-list crypto_one extended permit ip 192.168.8.0 255.255.255.0 192.168.0.0 255.255.252.0

Then change :-

crypto map abcmap 1 match address nonat
crypto map abcmap 1 set peer X.X.X.X
crypto map abcmap 1 set transform-set FirstSet

to :-

crypto map abcmap 1 match address crypto_one
crypto map abcmap 1 set peer X.X.X.X
crypto map abcmap 1 set transform-set FirstSet

You will keep everything as it is in you configuration, then add the Access list mentioned above and make that minor change in the crypto map. Then remove and reapply the crypto map.

As mentioned earlier in the post that the packets are not leaving the asa , that was because the return traffic for remote vpn was getting qualified as L2L , that is the reason I have created a seprate ACL for identify the SITE to SITE traffic and doesnot mix it with RVPN.

Manish

View solution in original post

andamani · ‎02-03-2011

Hi Janardhan,

1. Please change your pool ip. Make it different to than the local network of the firewall. say 10.10.10.0/24 inorder to avoid routing issues.

2. Please include the traffic from local network to the pool ip in the nonat access-list. This is done to exempt the traffic from natting.

i.e. access-list nonat permit ip 192.168.8.0 255.255.255.0 10.10.10.0 255.255.255.0

3. Include a route on the Layer 3 device for the pool ip in your internal network i.e. traffic for the pool ip should be directed to ASA inside interface on L3 devices in the internal network.

Let me know how it goes.

Regards,

Anisha

P.S.: please mark this thread as resolved if you feel your query is answered.

Janardhan Meesala · ‎02-03-2011

Hi Anisha,

Thanz for ur reply.

My network is very simple. My layer 2 devices are directly connected to the

firewall. No L3 devices are used in my network.

So i thought no route is needed.

And as you said, i changed loca pool as 10.10.10.0/24

Below are the statements i added to the ASA 5505

ip local pool RPOOL 10.10.10.1-10.10.10.10 mask 255.255.255.0

access-list RAVPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0

access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.10.10.0

255.255.255.0

For your reference i am attaching the config and out for show crypto ipsec

sa.

Regards,

Janardhan

On Thu, Feb 3, 2011 at 4:50 AM, andamani <

andamani · ‎02-03-2011

Hi Janardhan,

Please do the following:

no access-list RAVPN_splitTunnelAcl standard permit 10.10.10.0 255.255.255.0

access-list RAVPN_splitTunnelAcl standard permit 192.168.8.0 255.255.255.0

management-access inside

clear cry isa sa

clear cry ipsec sa

Try and ping the inside network. And let us know the updates.

Regards,

Anisha

P.S.: please mark this thread as resolved if you feel your query is resolved.

Janardhan Meesala · ‎02-03-2011

Hi Anisha,

Appreciated your quick response.

I done what you said, but still having the same problem.

i studied some document for the same problem, they given solution as below.

Created two seperate ACLs for Remote access vpn(Ravpn) and Site to Site VPN

(nonat) as shown below. And applied Ravpn acl to the nat (inside) 0.

So i done the same thing.

Then Remote access VPN working fine but site to site was down.

Please go through below confguration.

access-list Ravpn extended permit ip 192.168.8.0 255.255.255.0 10.10.10.0

255.255.255.0

access-list nonat extended permit ip 192.168.8.0 255.255.255.0 192.168.0.0

255.255.252.0

nat (inside) 0 access-list Ravpn

Regards,

Janardhan

On Thu, Feb 3, 2011 at 9:09 PM, andamani <

manish arora · ‎02-03-2011

Hi J,

It should be :-

From :-

access-list Ravpn extended permit ip 192.168.8.0 255.255.255.0 10.10.10.0

255.255.255.0

access-list nonat extended permit ip 192.168.8.0 255.255.255.0 192.168.0.0

255.255.252.0

nat (inside) 0 access-list Ravpn

to :-

access-list nonat extended permit ip 192.168.8.0 255.255.255.0 10.10.10.0

255.255.255.0

access-list nonat extended permit ip 192.168.8.0 255.255.255.0 192.168.0.0

255.255.252.0

nat (inside) 0 access-list nonat

Manish

Janardhan Meesala · ‎02-03-2011

HI Manish,

Thanks for your reply....

I done the same thing........

But it shows the same problem....

While showing the log fie it shows... " IKE initiator Unable to find the

Policy"

Regards,

Janardhan

On Thu, Feb 3, 2011 at 11:36 AM, manisharora111 <

andamani · ‎02-03-2011

Hi Janardhan,

Please enable the following debugs and post the outputs here.

1. debuig cry isa 127

2. debug cry ips 127

Initiate the traffic

Paste the outputs of the debugs and also give the output of

1. sh cry isa sa

2. sh cry ips sa

Regards,

Anisha

Janardhan Meesala · ‎02-03-2011

Hi Anisha,

Here is error what i am getting while pinging from the client.

3 Feb 03 2011 22:08:03 713042 IKE Initiator unable to find policy: Intf

outside, Src: 192.168.8.200, Dst: 10.10.10.1

Currently MY ASA in live for Site to Site VPN.

Is it good doing debug while in LiVE????

If it is ok i will do the debug..

Regards,

Janardhan

On Thu, Feb 3, 2011 at 9:34 PM, andamani <

Janardhan Meesala · ‎02-03-2011

HI Anisha,

Here i am attaching Debug outputs and Show command outputs after connecting

from Remote client.

Regards,

Janardhan

On Thu, Feb 3, 2011 at 9:34 PM, andamani <

Janardhan Meesala · ‎02-03-2011

Hi Manish,

This is the error what i getting in log file...

3 Feb 03 2011 22:08:03 713042 IKE Initiator unable to find policy: Intf

outside, Src: 192.168.8.200, Dst: 10.10.10.1

Regards,

Janardhan

On Thu, Feb 3, 2011 at 11:36 AM, manisharora111 <

andamani · ‎02-03-2011

Hi janardhan,

You can enable debug only for a peer. i guess that will be ok.

please connect the IPSEC ra vpn.

do a sh cry isa sa on the ASA and paste here

I will let you know which debugs you should enable.

Regards,

Anisha

Janardhan Meesala · ‎02-03-2011

Hi Anisha,

Here i am attaching outputs of

debug cry ipsec sa

debug cry isakmp sa

sh cry ipsec sa

sh cry isakmp sa

Regards,

janardahn

On Thu, Feb 3, 2011 at 9:46 PM, andamani <

Janardhan Meesala · ‎02-04-2011

HI Anisha,

Is there any update???

Regards,

Janardahn

andamani · ‎02-04-2011

Hi Janardhan,

The debugs are showing that the packets are reaching the ASA but the reply is not going back to the Client.

Are you sure there is no layer there device present on the inside of the ASA?

Please run the packet tracer and paste the output of the same:

packet-tracer in inside icmp 192.168.8.1 8 0 10.10.10.1 det

Also capture the packet on the inside interface.

here are the commands you need for capture of the packet:

access-list capi permit ip 192.168.8.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list capi permit ip 10.10.10.0 255.255.255.0 192.168.8.0 255.255.255.0

capture capin interface inside access-list capi buffer 33554430

Connect the VPN and try ping the 192.168.8.0 from the client. paste the output of the following command:

sh cap capin.

Regards,
Anisha