03-22-2012 02:55 PM - edited 03-11-2019 03:46 PM
Hello,
Below is packet tracer for ping:
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static ABC-subnet ABC-subnet no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.100.1/0 to 192.168.100.1/0
Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
I dont understand why result is drop due to acl, i have kept open from HO to Branch on specific subnets and this packet tracer is from the subnet which is permited everything to the remote branch.
Thanks
03-23-2012 12:37 AM
Hi,
I guess the routers are acting as remote VPN Clients in this setup?
To my understanding only the routers can initiate the VPN connection but as you said you are facing other problems too
Ive personally configured some ezvpn clients on 800 and 1800 -series routers and some 5505 ASAs as hardware VPN clients. But I haven't had problems with the traffic after the initial setup.
What does the "show crypto ipsec sa" command show on the ASA when the VPN connection is up?
Does the VPN configuration have any kind of "split-tunneling" configured that might cause the problems with the connections?
It would be helpfull in these kind of cases if you could attach configurations from each end. For me atleast this is just a guessing at the moment.
- Jouni
03-23-2012 01:07 AM
Hello,
Tx
03-23-2012 01:23 AM
Hi Jouniforss
Same problem i am facing
when i excute show crypto isakmp sa
Phase 1 is up
But when i excute show crypto ipsec sa
It doesnot show any thing
Far end is 1800 router and our is firewall
As checked both side access-list, transformset is matching.
03-23-2012 02:16 AM
Hi,
Jack,
From what I understand you can only establish the VPN connection from ASAs side when its a L2L VPN. With ezvpn and hardware VPN clients, the client device is usually configured to automatically connect to the central VPN device when it has a internet connection. Though there is an option to manually give the username/password during connecting on the CLI. (atleast with routers)
About the VPN phase
I've onlyconfigured L2L VPN recently and in those cases the error message has usually related to the fact that the VPN connection isnt establishing for the connection you are testing. Usually means that the VPN settings dont match. Then again you are using the routers as VPN Clients so I'd guess the error is related to the fact that ASA cant initiate the connection to the client. The Client has to initiate the connection VPN connection first to give access to the remote networks.
Sorry, this is mostly me guessing. I don't really have a solid understanding of these types of VPN
03-29-2012 03:16 PM
Dears,
When my branch routers intresting traffic initiate a connection to HO then only intresting traffic subnets from HO are able to initiate a connection.
For example:
Interesting traffic in HO 192.168.1.0 & 192.168.2.0
Interesting traffic in Branch 172.16.10.0 172.16.11.0
If suppose a pc in 172.16.10.0 initiate a connection to 192.168.1.0 then only any other PC in 192.168.1.0 can initiate a connection to branch in 172.16.10.0
If a PC in 192.168.1.0 want to initiate a connection to another subnet of branch suppose 172.16.11.0 the PC gets request timeout BUT if any PC in 172.16.11.0 initiate a connection to 192.168.1.0 then PC's from subnet 192.168.1.0 are also able to reach 172.16.11.0
Is this normal behaviour for one side static and another side dynamic IPSEC vpn.
03-30-2012 01:28 PM
Hello,
Can anybody help me for the above query,
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide