11-09-2018 11:08 AM
Hi All,
We have 2 x 5512-x ASAs, one in our LA location and one in our PA location. The one in LA (let's call it ASA01) is in production and I have the tunnel configured. The one in PA (ASA02), is set up but it sits behind a Netgear router. From the network created inside ASA02, we are able to ping out and are able to ping devices that are attached to the Netgear router. However, we can't ping into devices on the ASA02 network.
We set the tunnel up on both ends, but we feel it might be because we don't have a rule somewhere that allows traffic into ASA02?
11-09-2018 11:49 AM
Perhaps the first step is to find out whether the tunnel is coming up. Can you post the output of show crypto IPSec sa
HTH
Rick
11-09-2018 12:00 PM - edited 11-09-2018 12:02 PM
els-asa01# show crypto ipsec sa interface: ZAYO Crypto map tag: <amzn_vpn_map>, seq num: 3, local addr: 128.177.20.34 access-list ZAYO_cryptomap_3 extended permit ip any 10.60.0.0 255.255.0.0 local ident (addr/mask/prot/port): (10.120.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.60.0.0/255.255.0.0/0/0) current_peer: 40.112.133.61 #pkts encaps: 368, #pkts encrypt: 368, #pkts digest: 368 #pkts decaps: 538, #pkts decrypt: 538, #pkts verify: 538 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 368, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 128.177.20.34/0, remote crypto endpt.: 40.112.133.61/ 0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: BF4ACF2E current inbound spi : 7F761209 inbound esp sas: spi: 0x7F761209 (2138444297) transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 50315264, crypto-map: <amzn_vpn_map> sa timing: remaining key lifetime (kB/sec): (97199978/1362) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xBF4ACF2E (3209350958) transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 50315264, crypto-map: <amzn_vpn_map> sa timing: remaining key lifetime (kB/sec): (97199975/1362) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: <amzn_vpn_map>, seq num: 10, local addr: 128.177.20.34 access-list acl-amzn-2 extended permit ip any 10.1.0.0 255.255.0.0 local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0) current_peer: 54.240.217.162 #pkts encaps: 3741031, #pkts encrypt: 3741031, #pkts digest: 3741031 #pkts decaps: 6187717, #pkts decrypt: 6187717, #pkts verify: 6187717 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 3741031, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 733 local crypto endpt.: 128.177.20.34/0, remote crypto endpt.: 54.240.217.162/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: F290D08D current inbound spi : 87BB71D4 inbound esp sas: spi: 0x87BB71D4 (2277208532) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, } slot: 0, conn_id: 55365632, crypto-map: <amzn_vpn_map> sa timing: remaining key lifetime (kB/sec): (96891842/1521) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xF290D08D (4069576845) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, } slot: 0, conn_id: 55365632, crypto-map: <amzn_vpn_map> sa timing: remaining key lifetime (kB/sec): (97192939/1521) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001
11-09-2018 12:13 PM
Thanks for the information. It does show that the tunnel is up and passing two way traffic. So we need information about what address is attempting to access what address. It might also help if you provide details of the configuration.
HTH
Rick
11-09-2018 12:27 PM
So the two tunnels showing are the tunnels to aws. I'll post config in a few.
11-09-2018 01:53 PM
Hello,
post a schematic drawing of your topology. From your description I cannot tell what networks are attached to what, and whatyou cannot reach from where...
11-10-2018 01:36 PM
The original post described a vpn tunnel between routers in LA and PA. The posted output of vpn tunnels is then described as being to aws. I am confused about what is going on at both sites and agree with Georg that we need some diagram and some explanation of what is going on indicating what does work and what does not work.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide