cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1382
Views
0
Helpful
28
Replies

Weird One Way VPN tunnel issue

IT Dept
Level 1
Level 1

Site A ASA5550 with vlan1, vlan2, and vlan3 <~~ Headquarter

Site B ASA5510 with vlan1

Site C ASA5505 with vlan1

Site A is a HQ and we have Site-to-Site VPN set for all sites with IPsec IKEv1 IPsec

Site A <--> Site B

Site A <--> Site C

Problem is on Site A HQ to Site B. For some reason VPN tunnel only establishes in one direction Site B to Site A but not Site A to Site B. When I logout the Site-to-Site VPN for Site A <-> Site B, there is no way for Site A to ping or connect to any server to Site B unless Site B ping or establish connections to Site A first, then Site A can ping or connect to Site B afterwards. The get around right now is I will need to ask someone from SIte B to ping Site A vlan1, vlan2, and vlan3 so that I can connect from Site A to Site B. All ASA is on the latest 8.4(3) version.

Site A <~> Site C works perfect fine without any probelm!! When I logout the Site-to-Site VPN for Site A <~> SIte C, the VPN tunnel established right away from either Site A to Site C or Site C to Site A.

Any suggestion on what should I look for before posting any configurations?

Thank you in advance. =)

28 Replies 28

rizwanr74
Level 7
Level 7

First, please check whether you have a static route pushing site B traffic toward to default gateway on Site "A " ASA5550.

if that does not help, please copy your config on the forum for easy of trouble shooting from ASA5550.

Thanks

Rizwan Rafeek

Thanks for your quick reply rizwanr74! Yes we do have static routes setup on Site A ASA5550 and both Site B and Site C outside interface are there with Site A Gateway IP on it.

Julio Carvajal
VIP Alumni
VIP Alumni

Hello,

Can you check the crypto ACL configuration on both sides and paste it in here so we can take a look at it?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for your reply Julio. What command should I type in to show just the cryptop ACL configuration? I'm doing my best to show just the information you guys are looking for instead of the whole configuration file.

Hello,

Under the crypto maps, you will see a match x.x.x.x ( where the x.x.x is the ACL that we are looking for)

We need both sites ACL (Branch and Site C)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Is that what you are looking for? THANKS!!!

Site A HQ ASA

crypto map outside_map 3 match address outside_cryptomap_2

crypto map outside_map 3 set peer (Site B ISP IP)

crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 3 set reverse-route

crypto map outside_map 5 match address outside_cryptomap_3

crypto map outside_map 5 set peer (Site C ISP IP)

crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

Site B Branch ASA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer (Site A ISP IP)

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set reverse-route

crypto map outside_map 3 match address outside_cryptomap

crypto map outside_map 3 set peer (Site C ISP IP)

crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 3 set reverse-route

Site C Branch ASA

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set peer (Site A ISP IP)

crypto map outside_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map0 1 set reverse-route

crypto map outside_map0 2 match address outside_cryptomap_1

crypto map outside_map0 2 set peer (Site B ISP IP)

crypto map outside_map0 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map0 2 set reverse-route

Hello,

Now on the ASA on Site A, please get the following

show run access-list outside_cryptomap_2

Now on the ASA on Site B, please get the following

show run access-list address outside_1_cryptomap

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Site A HQ ASA

show run access-list outside_cryptomap_2

access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_12

Site B Branch ASA

show run access-list outside_1_cryptomap

access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object-group SiteA-Network

Thank You!!

Hello IT,

ASA HQ Site A

On the Site A HQ ASA

Can you look for the configuration of this Object group DM_INLINE_NETWORK_12, Is this the network on the other site ( Site B) ?

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

DM_INLINE_NETWORK_12 is only exited on Site A HQ ASA under outside_cryptomap_2

Source: Site A vlan1, Site A vlan2, Site A vlan3

Destination: Site B Network

Service: IP

I don't see any DM_INLINE_NETWORK_12 under Site B ASA. I believed DM_INLINE_NETWORK_12 was created automatically by using the ASDM wizard (some one else created long ago)

Thanks!

Hello,

On Site A:

Please do the following:

packet-tracer input inside tcp x.x.x.x (Host ip on vlan A  site A) 1025 x.x.x.x (Host on other site of the tunnel-SiteB) 80

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Site A HQ ASA:

packet-tracer input inside tcp x.x.x.x (VLAN1 IP on Site A) 1025 x.x.x.x (Host IP on Site B) 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   SiteB-network 255.255.0.0     outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: FILTER

Subtype: filter-ftp

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FILTER

Subtype: filter-url

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8   destination static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10

Additional Information:

Static translate x.x.x.x (VLAN1 IP Address)/1025 to x.x.x.x (VLAN1 IP Address)/1025

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 644050669, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Hello,

On the packet tracer we can see is hitting a static rule, thing that should not happen!

Can we see the show run static, show run nat, sh run global.. And the ACLs for the nat 0( you will see a nat statement with an ID of 0 holding an ACL, I would like to see that acl-Show run acl xxxx (name)

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio,

I tired show run-config static and show run-config global but both doesn't work... not sure why... I did not see any NAT 0 on my configure file or what exact command do I need to type in to find out? Please see below for everything I found related to NAT and ACL

Thanks again for all of your help!

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Site A ASA show run nat

nat (inside,outside) source static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8   destination static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10

!

object network inside-network

nat (inside,outside) dynamic outside-defaultnat 

!

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_3

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_10

access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_12

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: