This issue has been resolved.

brian.vanoy · ‎10-13-2016

We are experiencing an issue where a Site-to-Site VPN branch office is able to communicate with our CUCM Publisher (192.168.1.x/24) residing on an MPLS network on the backside of our data center switch, however, it cannot communicate with the CUCM Subscriber (192.168.110.x/24) directly connected to the data center switch.

The branch switch (10.0.0.x/24) and voice router (10.0.1.x/24) can ping the publisher, but they cannot ping the subscriber. They can ping the data and internet subnets (192.168.100.x/24 and 192.168.150.x/24) on the data center switch, however, they cannot ping the voice subnet (192.168.110.x/24). The branch switch directly connects to its onsite ASA and uses a static route statement to direct all outgoing traffic to the inside interface of the ASA:

ip route 0.0.0.0 0.0.0.0 10.0.0.x

The data center switch (192.168.100.x/24) can ping the data and voice subnets (10.0.0.x/24 and 10.0.1.x/24) on the branch switch (includes any phones, router, computers, etc.). However, the Subscriber (192.168.110.x/24) directly connected to the data center switch cannot ping the branch voice subnet (10.0.1.x/24), but it can ping the branch data subnet (10.0.0.x/24). The data center switch directly connects to its onsite ASA and uses a static route statement to direct all outgoing traffic to the inside interface of the ASA:

ip route 0.0.0.0 0.0.0.0 192.168.150.x

Both ASA configurations for the Site-to-Site VPN connection are below, as well as the VLAN information for each switch. Any assistance would be greatly appreciated...

Branch Office Configuration

Scenario: Cisco C2801 ISR Router >> Cisco 3560G 48pt Switch >> Cisco 5512X ASA >> VPN Tunnel

Cisco 5512X ASA Configuration

- Network Objects and Groups

object network Branch_Data
subnet 10.0.0.0 255.255.255.0

object network Branch_Voice
subnet 10.0.1.0 255.255.255.0

object-group network Branch_Networks
network-object object Branch_Data
network-object object Branch_Voice

object network Publisher_Data
subnet 192.168.0.0 255.255.255.0

object network Publisher_Voice
subnet 192.168.1.0 255.255.255.0

object network DataCenter_Data
subnet 192.168.100.x 255.255.255.0

object network DataCenter_Voice
subnet 192.168.110.x 255.255.255.0

object network DataCenter_Internet
subnet 192.168.150.x 255.255.255.0

object-group network MPLS_Voice
network-object object Publisher_Data
network-object object Publisher_Voice
network-object object DataCenter_Data
network-object object DataCenter_Voice
network-object object DataCenter_Internet

- ACLs and VPN Config

access-list inside_nat0_outbound extended permit ip object-group Branch_Networks object-group MPLS_Voice

access-list outside_cryptomap extended permit ip object-group Branch_Networks object-group MPLS_Voice

access-list inside_access_in extended permit ip object-group Branch_Networks object-group MPLS_Voice

access-group inside_access_in in interface inside

nat (inside,any) source static Branch_Networks Branch_Networks destination static MPLS_Voice MPLS_Voice no-proxy-arp

nat (inside,outside) source static Branch_Networks Branch_Networks destination static MPLS_Voice MPLS_Voice no-proxy-arp route-lookup

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 162.x.x.x
cyrpto map outside_map 1 set ikev2 ipsec-proposal AES256

group-policy GroupPolicy_162.x.x.x internal
group-policy GroupPolicy_162.x.x.x attributes
vpn-tunnel-protocol ikev2

tunnel-group 162.x.x.x type ipsec-l2l
tunnel-group 162.x.x.x general-attributes
default group-policy GroupPolicy_162.x.x.x
tunnel-group 162.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

Cisco C3560G Switch

- Subnets and VLANs

Data - 10.0.0.x/24, Voice - 10.0.1.x/24

Data Center Configuration

Senario: VPN Tunnel >> Cisco 5520 ASA >> Cisco C3850X Switch (CUCM Subscriber) >> MPLS Network (CUCM Publisher)

Cisco ASA 5520 Configuration

- Network Objects and Groups

object network Publisher_Data
subnet 192.168.0.0 255.255.255.0

object network Publisher_Voice
subnet 192.168.1.0 255.255.255.0

object network DataCenter_Data
subnet 192.168.100.0 255.255.255.0

object network DataCenter_Voice
subnet 192.168.110.0 255.255.255.0

object network DataCenter_Internet
subnet 192.168.150.0 255.255.255.0

object-group network MPLS_Voice
network-object object Publisher_Data
network-object object Publisher_Voice
network-object object DataCenter_Data
network-object object DataCenter_Voice
network-object object DataCenter_Internet

object network Branch_Data
subnet 10.0.0.0 255.255.255.0

object network Branch_Voice
subnet 10.0.1.0 255.255.255.0

object-group network Branch_Networks
network-object object Branch_Data
network-object object Branch_Voice

- ACLs and VPN Config

access-list inside_nat0_outbound extended permit ip object-group MPLS_Voice object-group Branch_Networks

access-list outside_cryptomap_2 extended permit ip object-group MPLS_Voice object-group Branch_Networks

access-list inside_access_in extended permit ip object-group MPLS_Voice object-group Branch_Networks

access-group inside_access_in in interface inside

nat (inside,any) source static MPLS_Voice MPLS_Voice destination static Branch_Networks Branch_Networks no-proxy-arp *

nat (inside,outside) source static MPLS_Voice MPLS_Voice destination static Branch_Networks Branch_Networks no-proxy-arp route-lookup

crypto map dyn-map 1 match address outside_cryptomap_2
crypto map dyn-map 1 set peer 74.x.x.x
crypto map dyn-map 1 set ikev2 ipsec-proposal AES256

group-policy GroupPolicy_74.x.x.x internal
group-policy GroupPolicy_74.x.x.x attributes
vpn-tunnel-policy ikev2

tunnel-group 74.x.x.x type ipsec-l2l
tunnel-group 74.x.x.x general-attributes
default-group-policy GroupPolicy_74.x.x.x
tunnel-group 74.x.x.x ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

Cisco C3850X Switch

- Subnets and VLANs

Data - 192.168.100.x/24, Voice - 192.168.110.x/24, Internet - 192.168.150.x/24

The MPLS Network, where the publisher resides, is virtually routed to/from the switch through the service provider

Pawan Raut · ‎10-16-2016

It look like routing issue. Do you have route for 192.168.110.0/24 on Data center ASA towards Data center switch Cisco C3850X.

brian.vanoy · ‎10-17-2016

Pawan,

Thanks for your response. I actually do have the following static route in the DC ASA pointing toward the DC Switch:

route inside 192.168.110.0 255.255.255.0 192.168.150.2 1

I have also uploaded the crypto sa information for the tunnel concerning the two voice subnets: 192.168.1.x/24 and 192.168.110.x/24

brian.vanoy · ‎10-17-2016

This issue has been resolved.

I rebuilt the tunnel using just the following settings on each side of the tunnel.

access-list inside_nat0_outbound extended permit ip object-group MPLS_Voice object-group Branch_Networks

access-list outside_cryptomap_2 extended permit ip object-group MPLS_Voice object-group Branch_Networks

access-list inside_access_in extended permit ip object-group MPLS_Voice object-group Branch_Networks

access-group inside_access_in in interface inside

nat (inside,any) source static MPLS_Voice MPLS_Voice destination static Branch_Networks Branch_Networks no-proxy-arp *

Prior to rebuilding the tunnel, I also used "clean conn address 74.x.x.x" and "clear conn address "162.x.x.x". Also, I "cleared xlate" on both ASAs. Once the tunnel re-established all subnets could communicate and phones connect to the subscriber server.

Site to Site Subnet Issue