ASA5525-X Problem with new ipsec tunnels after update to 9.8(4)22

Lucio87 · ‎01-22-2021

Hi,

I've been having major problems creating new tunnels since I upgraded my ASA5525-X from version 9.4 (4) 34 to version 9.8. (4) 22, all the tunnels I created before the upgrade continue to work fine.

I give you an example of a tunnel that doesn't work (it's towards the Oracle cloud and I have 2 others that work and are identical but created before the update):

crypto ikev2 enable outside
crypto ikev2 policy 10
encryption aes-256
integrity sha384
group 5
prf sha
lifetime seconds 28800

group-policy oracle internal
group-policy oracle attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-tunnel-protocol ikev2

crypto ipsec ikev2 ipsec-proposal oracle_v2_ipsec_proposal
protocol esp encryption aes-256
protocol esp integrity sha-1

object network obj-192.168.51.0
subnet 192.168.51.0 255.255.255.0

access-list CRY-ACL-NET51 extend permit ip object obj-172.30.248.0 object obj-192.168.51.0

crypto map outside_map 13 match address CRY-ACL-NET51
crypto map outside_map 13 set pfs group5
crypto map outside_map 13 set peer xxx.xxx.xxx.xxx
crypto map outside_map 13 set ikev2 ipsec-proposal oracle_v2_ipsec_proposal
crypto map outside_map 13 set security-association lifetime seconds 3600

tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx general-attributes
default-group-policy oracle

tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
ikev2 local-authentication pre-shared-key yyyyyyyyyyyyyyyyyyyyyy

ikev2 remote-authentication pre-shared-key zzzzzzzzzzzzzzzzzzzzzz

access-list acl_in extended permit ip object obj-172.30.248.0 object obj-192.168.51.0

nat (inside,outside) source static obj-172.30.248.0 obj-172.30.248.0 destination static obj-192.168.51.0 obj-192.168.51.0 no-proxy-arp route-lookup

The tunnel goes up correctly:

1342443445 fff.fff.fff.fff/500 xxx.xxx.xxx.xxx/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1449 sec
Child sa: local selector 172.30.255.163/0 - 172.30.255.163/65535 (there is something strange here, because it is a single IP instead of 172.30.248.0/0 - 172.30.255.255/65535)
remote selector 192.168.51.160/0 - 192.168.51.160/65535

If I force the logout of the tunnel and I try the ping on a client of 192.168.51.0/24, the tunnel returns UP and I get a reply from the ping, if I try to ping on 2 different clients of the same network then none of the 2 pings work. If I try to ping from two different clients to 192.168.51.0/24 then no one reaches the clients on that network anymore. Every time I want to do a test I have to force the tunnel logout.

Can you help me?

Kind regards,

Luciano

Update 1

I have also noticed that when I try to ping a client on the network 192.168.51.0/24 the outbound trafficking counter increases, while the inbound trafficking counter remains stopped.

Georg Pauwen · ‎01-22-2021

Hello,

how many policies do you have configured (with 20 being the maximum supported for ikev1 and ikev2) ?

Also, post the output of:

debug crypto ikev2

debug crypto isakmp

Lucio87 · ‎01-22-2021

Ciao Georg,

I have 15 group-policies.

Thank's for help.

Kind regards,

Luciano

MHM Cisco World · ‎01-22-2021

I think your ASA peer is use in multi IPSec S2S tunnel?

MHM Cisco World · ‎01-22-2021

crypto map 13 interface outside

do this command and see the effect of it, I think this is issue here