Solved: ONE WAY VPN CONNECTION (Site A can reach B, site B cannot reach A)

Jesutofunmi O · ‎02-07-2018

Hello Guys,

I have a VPN tunnel I just created. For some reason I really don't know, site A, can reach site B, while site B cannot reach site A.

Site A: 172.16.120.0 255.255.248.0, 192.168.0.0 255.255.255.0

172.16.120.0/21, 192.168.0.0/24

Site B: 172.16.130.0 255.255.255.128

172.16.130.0/25

Site A has an ASA FW (5515x) while site B has a Cisco 2900 iOS router.

Please see config below;

CISCO iOS ROUTER

sh run
Building configuration...

Current configuration : 8920 bytes
!
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname BWL_ABUJA
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 TmzTYQ.wpCCBNk97tg91bzL/y51TyU.NQUT2fPPseYo
enable password 7 03347B181518715E4A
!
aaa new-model
!
!
aaa authentication login auth local
--More--
aaa authorization network auth local
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
!

!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 172.16.130.1 172.16.130.50
ip dhcp excluded-address 172.16.131.1 172.16.131.20
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool DATA_VOICE
network 172.16.130.0 255.255.255.128
dns-server 192.168.0.14 192.168.2.38 172.16.130.10 62.173.32.89
default-router 172.16.130.1
lease 7
!
ip dhcp pool Camera
network 172.16.131.0 255.255.255.128
default-router 172.16.131.1
lease 7
!
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
lifetime 28800
!
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 30
encr aes
authentication pre-share
group 2
crypto isakmp key ******** address x.x.x.x
crypto isakmp key ******** address x.x.x.x
crypto isakmp keepalive 10 3
crypto isakmp xauth timeout 5

!
crypto isakmp client configuration group EZVPN
key cisco
dns 172.16.130.10 192.168.0.14
pool EZVPN
acl EZVPN_BW_ACL
pfs
max-logins 5
netmask 255.255.255.128

AUTHORIZED USER ONLY ^C
crypto isakmp profile EZVPN
self-identity address
match identity group EZVPN
client authentication list authen
client configuration address respond
keepalive 10 retry 2
!
!
crypto ipsec transform-set 50 esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set LAGOSSET esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map EZVPN_MAP 10
set security-association lifetime seconds 28800
set pfs group14
set isakmp-profile EZVPN
reverse-route
!
!
crypto map ABJ2ILPJ 10 ipsec-isakmp
set peer x.x.x.x
set transform-set 50
set pfs group5
match address 101
crypto map ABJ2ILPJ 30 ipsec-isakmp
set peer x.x.x.x
set transform-set LAGOSSET
set pfs group5
match address Abuja-VI
!
!
crypto map vpn 6500 ipsec-isakmp dynamic EZVPN_MAP
!
!
!
!
!
interface Tunnel2
description CONNECTI
ip address 172.16.33.233 255.255.255.252
tunnel source x.x.x.x
tunnel destination x.x.x.x
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/0.10
description Connection to Data-Voice Network
encapsulation dot1Q 10
ip address 172.16.130.1 255.255.255.128
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.20
description Connection to Camera Network
encapsulation dot1Q 20
ip address 172.16.131.1 255.255.255.0
!
interface GigabitEthernet0/0.30
description Connection to Access-Control Network
encapsulation dot1Q 30
ip address 172.16.130.129 255.255.255.192
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.40
description Connection to Management Network
encapsulation dot1Q 40 native
ip address 172.16.130.193 255.255.255.192
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0.10
peer default ip address pool TEST-VPN
no keepalive
ppp encrypt mppe 128
ppp authentication ms-chap ms-chap-v2
!
interface Virtual-Template10
ip unnumbered GigabitEthernet0/0/0
peer default ip address pool VPN
no keepalive
ppp encrypt mppe 128
ppp authentication ms-chap-v2
!
interface Vlan1
ip address x.x.x.x 255.255.255.128
ip nat outside
ip virtual-reassembly in
crypto map ABJ2ILPJ
!
interface Vlan10
description DataVoice
no ip address
!
interface Vlan20
description Cameras
no ip address
!
interface Vlan30
description AccessControl
no ip address
!
interface Vlan40
description Management_Network
no ip address
!
!
router ospf 1
area 10 nssa
!
ip local pool EZVPN_pool 172.16.130.50 172.16.130.55
ip local pool VPN 10.10.10.10 10.10.10.20
ip local pool TEST-VPN 172.16.130.90 172.16.130.95
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map nonat interface Vlan1 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 172.16.127.0 255.255.255.0 Tunnel2
ip route 172.16.128.0 255.255.255.0 Tunnel2
ip route 172.16.129.0 255.255.255.0 Tunnel2
!
ip access-list extended Abuja-VI
permit ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255
ip access-list extended EZVPN_BW_ACL
permit ip 172.16.130.0 0.0.1.155 any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark Abuja-LAN-Traffic
access-list 100 permit ip 172.16.130.0 0.0.0.255 172.16.120.0 0.0.7.255
access-list 101 permit ip 172.16.130.0 0.0.1.255 172.16.0.0 0.0.31.255
access-list 101 permit ip 172.16.130.0 0.0.1.255 192.168.2.0 0.0.0.255
access-list 101 remark IPSEC Tunnel to Ilupeju
access-list 110 deny ip 172.16.130.0 0.0.1.255 172.16.0.0 0.0.31.255
access-list 110 deny ip 172.16.130.0 0.0.1.255 192.168.2.0 0.0.0.255
access-list 110 remark Internet Access and VI Access-list
access-list 110 deny ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
access-list 110 deny ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255
access-list 110 permit ip 172.16.130.0 0.0.0.127 any
access-list 110 permit ip 172.16.130.128 0.0.0.63 any
!
route-map nonat permit 10
match ip address 110
!
snmp-server enable traps entity-sensor threshold
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 0
transport input telnet ssh
line vty 5 15
privilege level 0
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

ASA FW

ASA Version 9.2(2)4
!
hostname ASA-NGFW
enable password DeviMZQXvoEmq3qZ encrypted
passwd DeviMZQXvoEmq3qZ encrypted
names
!
interface GigabitEthernet0/0
description ###Internet Link###
nameif outside
security-level 100
ip address x.x.x.x 255.255.255.248
!
interface GigabitEthernet0/1
description ###Internal MEMBER-1 Link###
nameif INSIDE
security-level 100
ip address 192.168.10.254 255.255.255.0
!
interface GigabitEthernet0/2
<--- More --->
description ###Internal MEMBER-2 Link###
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif management
security-level 100
no ip address
!
boot system disk0:/asa922-4-smp-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group defaultDNS
name-server 4.2.2.2
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network BWL-ILUPEJU1
subnet 172.16.0.0 255.255.192.0
object network BWL-ILUPEJU2
subnet 192.168.2.0 255.255.255.0
object network BWL-VI2
subnet 192.168.0.0 255.255.255.0
object network BWL-VI1
subnet 172.16.120.0 255.255.255.0
object network BWL-VI3
subnet 172.16.120.0 255.255.248.0
object network ABUJA
subnet 172.16.130.0 255.255.255.128
object-group network BWL-ILUPEJU
network-object object BWL-ILUPEJU1
network-object object BWL-ILUPEJU2
object-group network BWL-VI
network-object object BWL-VI2
network-object object BWL-VI3
access-list ILUPEJU_LAN_TRAFFIC extended permit ip 172.16.120.0 255.255.248.0 192.168.2.0 255.255.255.0
access-list ILUPEJU_LAN_TRAFFIC extended permit ip 172.16.120.0 255.255.248.0 172.16.0.0 255.255.192.0
access-list ILUPEJU_LAN_TRAFFIC extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list ILUPEJU_LAN_TRAFFIC extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.192.0
access-list VI-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128
access-list VI-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128
pager lines 24
logging asdm informational
mtu outside 1500
mtu INSIDE 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp deny any outside
asdm image disk0:/asdm-7221.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (INSIDE,outside) source static BWL-VI BWL-VI destination static BWL-ILUPEJU BWL-ILUPEJU description NONAT-VI-ILUPEJU-L2LVPN
nat (INSIDE,outside) source static BWL-VI BWL-VI destination static ABUJA ABUJA description NONAT-VI-ABUJA-L2LVPN
!
object network BWL-VI2
nat (INSIDE,outside) dynamic interface
object network BWL-VI1
nat (INSIDE,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route INSIDE 172.16.120.0 255.255.248.0 192.168.10.1 1
route INSIDE 192.168.0.0 255.255.255.0 192.168.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ILUPEJUSET esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ABUJASET esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map outside-map 2 match address ILUPEJU_LAN_TRAFFIC
crypto map outside-map 2 set pfs group5
crypto map outside-map 2 set peer x.x.x.x
crypto map outside-map 2 set ikev1 transform-set ILUPEJUSET
crypto map outside-map 3 match address VI-Abuja
crypto map outside-map 3 set pfs group5
crypto map outside-map 3 set peer x.x.x.x
crypto map outside-map 3 set ikev1 transform-set ABUJASET
crypto map outside-map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 11
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.10.0 255.255.255.0 INSIDE
ssh 172.16.0.0 255.255.0.0 INSIDE
ssh 192.168.0.0 255.255.255.0 INSIDE
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
username admin password gWe.oMSKmeGtelxS encrypted privilege 15
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:0b4c4b772780b0191709ae59909a1c69
: end

Jesutofunmi O · ‎02-23-2018

Hello Rick,

First, I want to deeply appreciate your effort in trying to help out with this.

I figured it out someway. Two things;

1. I presume the subnets could reach each other long before now. if you remember, I mentioned that the remote location could reach me but I could not reach them and I configured both locations. Strange and quite un-thoughtful of me, the IP I was given to send pings to is out of range. My colleague at the remote location asked me to ping 172.16.130.200 and the subnet on the ACL is 172.16.130.1/25. I took time out today after over 3 weeks to calculate the range and then figured out that the IP I was pinging was out of range. Quite shameful.

2. My "inside" and "outside" interfaces both had security-level 100. Two interfaces with the same security level may not be able to send traffic to each other. Remember the tunnel is LAN to LAN via a public peer. (Technically, this should not affect it. However, I changed the security level on the ASA outside interface from 0 to 100).

3. And lastly, I prayed about it when I became clueless. I'm Christian.

Many thanks to Rick and everyone who tried to help on this forum. I also hope to be helpful to other people too someday.

Cheers!

View solution in original post

Richard Burts · ‎02-07-2018

I understand the desire to mask off sensitive information. But since both devices have multiple VPNs it is a bit tricky to know what part of one config matches what part of the other config. But I believe that I have found the primary issue.

compare the ACL from the router

access-list 101 permit ip 172.16.130.0 0.0.1.255 172.16.0.0 0.0.31.255
access-list 101 permit ip 172.16.130.0 0.0.1.255 192.168.2.0 0.0.0.255
access-list 101 remark IPSEC Tunnel to Ilupeju

to the ACL from the ASA

access-list VI-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128
access-list VI-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128

HTH

Rick

HTH

Rick

Jesutofunmi O · ‎02-08-2018

Hello Rick,

Thanks for the response.

The interesting traffic for which I have this issue is the one below;

Cisco 2900 iOS router

ip access-list extended Abuja-VI
permit ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
permit ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255

And this is the deny statement I used in configuring the "No NAT" and route map so the traffic is not NAT'ed. Please be kind to go through Access-list 110. There are other statements there, but I do not really see how they could affect the new connection.

access-list 110 deny ip 172.16.130.0 0.0.0.127 192.168.0.0 0.0.0.255
access-list 110 deny ip 172.16.130.0 0.0.0.127 172.16.120.0 0.0.7.255
access-list 110 permit ip 172.16.130.0 0.0.0.127 any

route-map nonat permit 10
match ip address 110

ip nat inside source route-map nonat interface Vlan1 overload

ASA FW

access-list VI-Abuja extended permit ip 192.168.0.0 255.255.255.0 172.16.130.0 255.255.255.128
access-list VI-Abuja extended permit ip 172.16.120.0 255.255.248.0 172.16.130.0 255.255.255.128

The "No NAT"config for the interesting Traffic on ASA

nat (INSIDE,outside) source static BWL-VI BWL-VI destination static ABUJA ABUJA description NONAT-VI-ABUJA-L2LVPN

I will be waiting for your response.

Thanks.

Richard Burts · ‎02-08-2018

Thank you for the additional information. Look carefully at the no nat on the ASA

nat (INSIDE,outside) source static BWL-VI BWL-VI destination static ABUJA ABUJA description NONAT-VI-ABUJA-L2LVPN

And look carefully at the objects configured on the ASA

object network BWL-VI1
subnet 172.16.120.0 255.255.255.0
object network BWL-VI3
subnet 172.16.120.0 255.255.248.0

To match the mask used on the router the ASA should use the object with mask /21 rather than the object with mask /24

HTH

Rick

HTH

Rick

Jesutofunmi O · ‎02-08-2018

Hey Rick,

I reason with you. But if you look carefully, you'd notice that BWL-VI is an "object-group" with object members BWL-VI2 (192.168.0.0/24) and BWL-VI3 (172.16.120.0/21).

object network BWL-VI2
subnet 192.168.0.0 255.255.255.0
object network BWL-VI1
subnet 172.16.120.0 255.255.255.0
object network BWL-VI3
subnet 172.16.120.0 255.255.248.0

object-group network BWL-VI
network-object object BWL-VI2
network-object object BWL-VI3

nat (INSIDE,outside) source static BWL-VI BWL-VI destination static ABUJA ABUJA description NONAT-VI-ABUJA-L2LVPN

Or do you think I should remove the object-group "No NAT"and configure the 'No NATs' for each of the address ranges. More like the below;

nat (INSIDE,outside) source static BWL-VI2 BWL-VI2 destination static ABUJA ABUJA

nat (INSIDE,outside) source static BWL-VI3 BWL-VI3 destination static ABUJA ABUJA

Awaiting your response please.

Thank you.

Richard Burts · ‎02-09-2018

You are correct. I missed the object group. Sorry about that. I do not see any need to redo the nat to use the individual objects.

HTH

Rick

HTH

Rick

Jesutofunmi O · ‎02-09-2018

Hey Rick,

Then I still do not understand why my VPN is one way.

Richard Burts · ‎02-09-2018

Here is one more attempt to find the reason. It looks like networks 172.16.120.0 and 192.168.0.0 are connected through some device behind the ASA. Is it possible that those networks or the device that they connect to do not recognize network 172.16.130.0, or do not route to it through the ASA, or have some policy that impacts 172.16130.0?

HTH

Rick

HTH

Rick

Jesutofunmi O · ‎02-15-2018

Hey Rick,

The connection is this way;

ISP--->ASA--->Core Switch--->Layer2 Switches

- Core switch is doing the DHCP and IP address assignment per vlan. I also did an "ip route" to the interface of the ASA it is connected to. I.E. ip route 0.0.0.0 0.0.0.0 10.2.x.x (10.2.x.x being the interface of the ASA).

- You said "Is it possible that those networks or the device that they connect to do not recognize network 172.16.130.0, or do not route to it through the ASA". Do I need to specifically logon to the Core switch and route the 172.16.130.0 network to the ASA interface 10.2.x.x ?

Richard Burts · ‎02-15-2018

If you have configured a default route there should not be necessary to have a specific route for 172.16.130.0. Would you post the output from the core switch for these commands

show ip route

show ip interface brief

HTH

Rick

HTH

Rick

Jesutofunmi O · ‎02-16-2018

Hey Rick,

Please see below;

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is 192.168.10.254 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.10.254
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.1.0/24 is directly connected, Vlan15
L 10.10.1.2/32 is directly connected, Vlan15
172.16.0.0/16 is variably subnetted, 18 subnets, 4 masks
C 172.16.120.0/24 is directly connected, Vlan10
L 172.16.120.2/32 is directly connected, Vlan10
C 172.16.121.0/24 is directly connected, Vlan20
L 172.16.121.2/32 is directly connected, Vlan20
C 172.16.122.0/24 is directly connected, Vlan30
L 172.16.122.2/32 is directly connected, Vlan30
C 172.16.123.0/24 is directly connected, Vlan40
L 172.16.123.2/32 is directly connected, Vlan40
C 172.16.124.0/26 is directly connected, Vlan50
L 172.16.124.2/32 is directly connected, Vlan50
C 172.16.124.64/26 is directly connected, Vlan60
L 172.16.124.66/32 is directly connected, Vlan60
C 172.16.124.128/26 is directly connected, Vlan70
L 172.16.124.130/32 is directly connected, Vlan70
C 172.16.125.0/25 is directly connected, Vlan80
L 172.16.125.2/32 is directly connected, Vlan80
C 172.16.126.0/24 is directly connected, Vlan90
L 172.16.126.2/32 is directly connected, Vlan90
192.168.0.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.0.0/24 is directly connected, Vlan100
L 192.168.0.3/32 is directly connected, Vlan100
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, Vlan1
L 192.168.10.2/32 is directly connected, Vlan1

sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet1 unassigned YES unset down down
TenGigabitEthernet1/1 unassigned YES unset down down
TenGigabitEthernet1/2 unassigned YES unset down down
TenGigabitEthernet1/3 unassigned YES unset down down
TenGigabitEthernet1/4 unassigned YES unset down down
GigabitEthernet2/1 unassigned YES unset up up
GigabitEthernet2/2 unassigned YES unset up up
GigabitEthernet2/3 unassigned YES unset up up
GigabitEthernet2/4 unassigned YES unset up up
GigabitEthernet2/5 unassigned YES unset up up
GigabitEthernet2/6 unassigned YES unset up up
GigabitEthernet2/7 unassigned YES unset up up
GigabitEthernet2/8 unassigned YES unset up up
GigabitEthernet2/9 unassigned YES unset up up
GigabitEthernet2/10 unassigned YES unset up up
GigabitEthernet2/11 unassigned YES unset up up
GigabitEthernet2/12 unassigned YES unset up up
GigabitEthernet2/13 unassigned YES unset up up
GigabitEthernet2/14 unassigned YES unset down down
GigabitEthernet2/15 unassigned YES unset down down
GigabitEthernet2/16 unassigned YES unset down down
GigabitEthernet2/17 unassigned YES unset down down
GigabitEthernet2/18 unassigned YES unset down down
GigabitEthernet2/19 unassigned YES unset down down
GigabitEthernet2/20 unassigned YES unset down down
GigabitEthernet2/21 unassigned YES unset down down
GigabitEthernet2/22 unassigned YES unset down down
GigabitEthernet2/23 unassigned YES unset down down
GigabitEthernet2/24 unassigned YES unset down down
Port-channel1 unassigned YES unset down down
Vlan1 192.168.10.2 YES NVRAM up up
Vlan10 172.16.120.2 YES NVRAM up up
Vlan15 10.10.1.2 YES NVRAM up up
Vlan20 172.16.121.2 YES NVRAM up up
Vlan30 172.16.122.2 YES NVRAM up up
Vlan40 172.16.123.2 YES NVRAM up up
Vlan50 172.16.124.2 YES NVRAM up up
Vlan60 172.16.124.66 YES NVRAM up up
Vlan70 172.16.124.130 YES NVRAM up up
Vlan80 172.16.125.2 YES NVRAM up up
Vlan90 172.16.126.2 YES NVRAM up up
Vlan100 192.168.0.3 YES NVRAM up up

Richard Burts · ‎02-16-2018

Thanks for the information. I do not see any issue with routing on the core switch. Are there any access lists on the switch filtering traffic?

Would you post the output of the show command for the SAs negotiated between the ASA and the router.

HTH

Rick

HTH

Rick

Jesutofunmi O · ‎02-17-2018

Hi Rick,

Thanks for your responses all along, I deeply appreciate.

Been racking my head a lot and I somewhat think my issue is bigger than I thought.

So, if you look at my ASA config, you'll notice there is an existing IPSec VPN apart form the one I'm troubleshooting.

The remote site subnets for the existing VPN (NOT the one with one way) are 192.168.2.0/24 and 172.16.0.0/18

The main site (the one with the ASA) subnets are 192.168.0.0/24 and 172.16.120.0/21

For some reasons I do not know, the remote site can reach the 2 subnets of the main site from its on 2 subnets BUT the main site can only reach one subnet out of the two subnets at the remote site. So let me break this down;

MAIN SITE: CISCO ASA 5515

Remote site to main site

Traffic from 192.168.2.0 (remote site) to 192.168.0.0/24 (main site)= Works fine

Traffic from 192.168.2.0 (remote site) to 172.16.120.0/21 (main site)= Works fine

Traffic from 172.16.0.0/18 (remote site) to 192.168.0.0/24 (main site)= Works fine

Traffic from 172.16.0.0/18 (remote site) to 172.16.120.0/21 (main site)= Works fine

Main site to remote site (CISCO ASA SIDE)

Traffic from 192.168.0.0/24 (main site) to 192.168.2.0 (remote site) = Works fine

Traffic from 192.168.0.0/24 (main site) to 172.16.0.0/18 (remote site) = NOT Working

Traffic from 172.16.120.0/21 (main site) to 192.168.2.0 (remote site) = NOT Working

Traffic from 172.16.120.0/21 (main site) to 172.16.0.0/18 (remote site) = NOT Working

The above is the initial VPN setup I did before the second one that has one way VPN. Now same thing seems to be happening to the new site

New Site (with Cisco 2900 iOS)

Traffic from 172.16.130.0/25 (new site) to 192.168.0.0/24 (main site) = Works fine

Traffic from 172.16.130.0/25 (new site) to 172.16.120.0/21 (main site) = Works fine

Traffic from 192.168.0.0/24 (main site) to 172.16.130.0/25 (new site) = NOT Working

Please bear in mind that main site uses the ASA. So in all, ASA has only one subnet talking to one subnet to just one site and all sites can talk to it. What do you think of this?

Jesutofunmi O · ‎02-18-2018

Hey Rick,

Please see below results of show commands for SAs. IPSec, ISAKMP and IKEv1

amikat · ‎02-19-2018

Hi,

Can you please change the IKE SA lifetime at the router side from 28800 to 86400 to match the ASA side value, then please clear the SA and see if that makes any difference.

Best regards,

Antonin