02-28-2016 12:44 PM - edited 03-12-2019 12:24 AM
Hi Everyone,
IPSEC tunnel is established between Cisco and Palo Alto.
From Palo Alto i can ping the Remote IP of the Cisco ASA but from Cisco ASA i can not ping Remote IP of Palo Alto
Logs from ASA
Feb 28 2016 13:40:22: %ASA-6-302020: Built outbound ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
Feb 28 2016 13:40:24: %ASA-6-302021: Teardown ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
Feb 28 2016 13:40:27: %ASA-6-302020: Built outbound ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
Feb 28 2016 13:40:29: %ASA-6-302021: Teardown ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
Feb 28 2016 13:40:32: %ASA-6-302020: Built outbound ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
Feb 28 2016 13:40:34: %ASA-6-302021: Teardown ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
pri/act/ASA1# show crypto ipsec sa
interface: outside
Crypto map tag: CRYPTO-MAP, seq num: 1, local addr: 68.145.154.173
access-list VPN-INTERESTING-TRAFFIC extended permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0 log
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 184.71.241.62
#pkts encaps: 144, #pkts encrypt: 144, #pkts digest: 144
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 144, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 68.145.154.173/0, remote crypto endpt.: 184.71.241.62/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A92FD619
current inbound spi : F5573103
inbound esp sas:
spi: 0xF5573103 (4116132099)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 1323008, crypto-map: CRYPTO-MAP
sa timing: remaining key lifetime (kB/sec): (3915000/85660)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xA92FD619 (2838484505)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 1323008, crypto-map: CRYPTO-MAP
sa timing: remaining key lifetime (kB/sec): (3914991/85660)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Logs From Palo Alto where ping is working to the Remote Cisco IP
64 bytes from 10.0.0.4: icmp_seq=131 ttl=255 time=21.7 ms
64 bytes from 10.0.0.4: icmp_seq=132 ttl=255 time=18.7 ms
64 bytes from 10.0.0.4: icmp_seq=133 ttl=255 time=17.9 ms
64 bytes from 10.0.0.4: icmp_seq=134 ttl=255 time=21.0 ms
^C
--- 10.0.0.4 ping statistics ---
134 packets transmitted, 134 received, 0% packet loss, time 134401ms
rtt min/avg/max/mdev = 17.354/20.349/33.935/2.623 ms
admin@Palo_alto_test
Solved! Go to Solution.
02-28-2016 01:19 PM
These are your stats:
#pkts encaps: 144, #pkts encrypt: 144, #pkts digest: 144
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
It says you are sending and encrypting packets, but not receiving anything back.
02-28-2016 10:13 PM
As I mentioned in your other question, the issue is on the Palo Alto side as the configuration on the ASA looks fine. Have you checked the routes on the Palo Alto? I think the VPN is terminating on on of the Palo Alto interfaces while traffic to the 10.0.0.0/24 is being sent out a different interface and therefore not being encrypted.
Have a look at the following article and check against your configuration
--
Please remember to select a correct answer and rate helpful posts
02-28-2016 01:10 PM
As the outside IP address of the ASA is not in the encryption domain you wont be able to do this. You'll need to test this with a machine behind the ASA.
02-28-2016 01:13 PM
i am testing on machine behind the ASA.
02-28-2016 01:19 PM
These are your stats:
#pkts encaps: 144, #pkts encrypt: 144, #pkts digest: 144
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
It says you are sending and encrypting packets, but not receiving anything back.
02-28-2016 01:31 PM
I am checking the other side now.
02-28-2016 04:17 PM
Hi Phil,
Do i need to specfic on ASA the static route for remote subnet across the tunnel?
Regards
Mahesh
02-28-2016 04:20 PM
No. You just need an existing route (such as the default route) pointing to the outside interface.
02-28-2016 04:37 PM
i have that default route.
Seems traffic is coming to Palo Alto but not going back to ASA.
Regards
Mahesh
02-28-2016 10:13 PM
As I mentioned in your other question, the issue is on the Palo Alto side as the configuration on the ASA looks fine. Have you checked the routes on the Palo Alto? I think the VPN is terminating on on of the Palo Alto interfaces while traffic to the 10.0.0.0/24 is being sent out a different interface and therefore not being encrypted.
Have a look at the following article and check against your configuration
--
Please remember to select a correct answer and rate helpful posts
03-01-2016 05:55 PM
Issue was Palo alto Did not have rule to allow vpn traffic to the inside zone.
All is good now
Regards
MAhesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide