Re: VPN between ASA and router - Page 2

georges.merhej · ‎09-11-2008

Hello,

I had a working vpn configuration between a local and a remote router; the remote router is not under my administration.

Now I moved the vpn termination from my side to an ASA5540 software version 8.0(3). The tunnel is up but there is no reachability. The "show crypto ipsec sa" on the ASA shows encapsulated packets but NO decapsulated packets! Routing and no_nat are properly configured.

Any idea?

Many thanks.

francisco_1 · ‎09-11-2008

mmm yeah. i checked on my lab ASA 5520 on a working tunnel and i have it enable on the inside/outside as well.

georges.merhej · ‎09-11-2008

I have tunnels configured and the same interface and working perfectly

francisco_1 · ‎09-11-2008

you mean you have other tunnels active on the ASA?

joe19366 · ‎09-11-2008

right, so the router is gone, but

what device is in front of the ASA?

What interface is the 213. address on? outside?

georges.merhej · ‎09-11-2008

yeah other tunnels are active! the 213 is the outside ip of the asa; the conncetion is like this now:

asa (public 213.184.187.98) -> sw (layer2)-> router (private IP with no security controls)->ISP

francisco_1 · ‎09-11-2008

joe's got a point here. according to the logs

DPD (Dead Peer Discovery).

IPSec has a mechanism for a peer to send a notification to its peer when it is deleting a SA. This notification is sent via IKE. However, there can be situations in which this notification never gets sent. A usual reason for this is that the peer goes dead too abruptly e.g. system crash, unplugging the Ethernet cable, etc. Due to such events, one peer could keep sending data to the dead peer and it results in data loss. For this, a Dead Peer Discovery (DPD) mechanism is used. Make sure nothing is blocking the ipsec traffic between your ASA/Router

georges.merhej · ‎09-11-2008

There's only a layer 2 switch between the router and the ASA and no security controls are configured on the router:(

joe19366 · ‎09-11-2008

please re-enable nat-t, clear the tunnel and bring it back up by pinging to the crypto acl destination from the source.

please past your entire asa config (sanatized of course!)

Worse case, we can do a webex to get it solved.

-Joe

georges.merhej · ‎09-11-2008

re-enabled nat-t, and the partial interesting part of the config is attached, many thanks for your support!

joe19366 · ‎09-11-2008

my next educated guess;

turn off nat-t on the ASA the other side may not support it, not have it configured or UDP 4500 may filtered somewhere in the path

no crypto isakmp nat-traversal

now clear ipsec sa on the sa, and continue testing... send interesting traffic to bring the tunnel back up

francisco_1 · ‎09-11-2008

Georges/Joseph, Is this sorted?

Please let me know

Francisco

georges.merhej · ‎09-12-2008

Guys,

It's resolved by editing the crypto/no_nat access-lists to match only host by host! It's really weird that it was not working with subnet to subnet access-list.

francisco_1 · ‎09-12-2008

interesting!

jimmyc_2 · ‎05-29-2013

Thanks for posting the solution. Any future info on this? jimmyc