Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1803
Views
0
Helpful
2
Replies

RV215w and ASA5505 site to site VPN, Outlook/Exchange trouble

oneit4711
Level 1
Level 1

‎08-12-2013 06:09 AM

Hi,

I've some strange problem:

Config:

Main-Office: RV215W FW Version 1.1.0.5; IP 10.15.1.254/24

Branch-Office: ASA5505 FW 7.2 ASDM 5.2; IP: 10.15.2.1/24

We want to change to old ASA in Main-Office with the new RV215w. Between these two ASA's there was allready a VPN.

Now, on the new RV215w we made the Basic VPN Setup. At a first look it works.

The ASA in the Branch has keepalive active. So it connected to the RV automatically. ASDM on the ASA stated 1IKE and 1 VPN Tunnel.

Datastransfer is also working. On the Branch site I can ping the other network and see the shares from the mainserver. A remote desktop connection is also working.

Now the troubles. On the Branch site is a client PC with Outlook 2003. This Outlook cannot connect to the Exchange Server on the SBS 2011 on the Main Site. Status: offline or not connected. Only 1 or 2 times it says online and all folders are synced. No idea why.

Another strange one:

I deactivated the keepalive in the ASA on the Branch Site. Now was the RV215 doing the VPN connection to the ASA. But that does not working. The RV can't make the connection.

What I don't understand. VPN should be a transparent connection. So there should be no ports or something to open. Group Policy on the ASA says that the firewall is off.

How can it be, that from ASA to RV the connection is nearly working. And from RV to ASA is no connection possible?

Does anybody allready made such expiriences? For the ASA I'm nearyl a noob. So, it can be that I oversee some settings.

Maybe there are some config on the ASA to do?

Thank you for your help.

Chris

PS: I hope you can understand my posting Sorry for the English. In the German section I've got no answer

Labels:
0 Helpful
2 Replies 2

Dan Miley
Level 3
Level 3

‎08-12-2013 07:51 AM

I would check the status of the tunnel, there should be a counter for packets tx and rx,

they should be incrementing on both sides, if traffic is going through.

Here's some steps to troubleshoot.

1 - try to ping the lan interface of both devices from the far end.  (if the ASA is set up to reply to pings)

2- if that does not work, the tunnel is having a difficulty, verify the timers for SA lifetime for IKE and IPSec are the same on both ends ( the default may not be the same )

3 - verify the default gateway is correct on your server and your client (pointing to the ASA or rv215)

4 - local firewalls may prevent connections from remote networks, some AV or firewalls have a trusted network list.

5 - run wireshark on your server to see if the packets are actually getting there from the remote network, and the reply is going back to the correct router.

post the configs without passwords and sensitive info and there may be some other suggestions.

Hope it helps.

dlm...

0 Helpful

oneit4711
Level 1
Level 1
In response to Dan Miley

‎08-26-2013 07:18 AM

Hi Daniel,

thank you for your replay.

Yes, there is traffic in the tunnel. When the ASA makes the connection. From the RV side is it atm impossible to make a connection. Why? That's the question.

1- Pings are ok.

2- Step 1 is ok. I did ping -t from both sides to each other server. No Problem and no Interuption.

3- Gateway is correct. Clients from both sides can go to the internet.With VPN and without.

4- Client Firewalls may not be the problem. On the ASA site is everthing the same as before.

5- wireshark can I run, when I'm at the customer again.

Fact is, that the old config with ASA-VPN-ASA is still running. Outlook on the branch site makes no troubles. And, with RV215-VPN-ASA seems also all ok. Eg. RDP from one server to the other over VPN. Except that the Outlook 2003 on the branch site cannot connect to the Exchange Server on the main site throug the tunnel.

The only thing that I had found now is that the ASA clock had a difference for several hours. I changed that. Now I have to test this week. Or is this not so important for the VPN tunnel?

Here is the config of the Branch-ASA:

: Saved

: Written by oneit at 02:01:54.772 UTC Mon Aug 26 2013

!

ASA Version 7.2(4)

!

hostname procxx

domain-name default.domain.invalid

enable password xxxxxxxxxxxxxxxx encrypted

passwd xxxxxxxxxxxxx encrypted

names

!

interface Vlan2

nameif outside

security-level 0

ip address 80.122.xxx.xxx 255.255.255.0

!

interface Vlan3

nameif inside

security-level 100

ip address 10.15.2.1 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 3

!

interface Ethernet0/2

switchport access vlan 3

!

interface Ethernet0/3

switchport access vlan 3

!

interface Ethernet0/4

switchport access vlan 3

!

interface Ethernet0/5

switchport access vlan 3

!

interface Ethernet0/6

switchport access vlan 3

!

interface Ethernet0/7

switchport access vlan 3

!

ftp mode passive

dns server-group DefaultDNS

domain-name default.domain.invalid

same-security-traffic permit inter-interface

access-list outside_in extended permit icmp any any echo-reply

access-list outside_in extended permit icmp any any unreachable

access-list outside_in extended permit icmp any any time-exceeded

access-list outside_in extended permit icmp any any source-quench

access-list NO_NAT extended permit ip 10.15.2.0 255.255.255.0 10.15.1.0 255.255.255.0

access-list NO_NAT extended permit ip 10.15.2.0 255.255.255.0 10.15.4.0 255.255.255.0

access-list VPN-SplitT extended permit ip 10.15.2.0 255.255.255.0 10.15.1.0 255.255.255.0

access-list VPN-SplitT-RemotE extended permit ip 10.15.2.0 255.255.255.0 10.15.4.0 255.255.255.0

access-list hotel extended permit ip 10.15.4.0 255.255.255.0 host 10.15.2.11

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

ip local pool canti-pool 10.15.4.1-10.15.4.254 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-524.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NO_NAT

nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 80.122.183.213 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 10.15.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set CAN2PRO esp-3des esp-sha-hmac

crypto ipsec transform-set CaN2RemotE esp-aes esp-sha-hmac

crypto dynamic-map vpn-client-map 9999 set transform-set CaN2RemotE

crypto map canti 10 match address VPN-SplitT

crypto map canti 10 set peer 88.116.109.110

crypto map canti 10 set transform-set CAN2PRO

crypto map canti 9999 ipsec-isakmp dynamic vpn-client-map

crypto map canti interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 5

lifetime 86400

crypto isakmp policy 9999

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp nat-traversal  10

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 20

console timeout 0

management-access inside

dhcpd dns 10.15.1.50 195.3.96.67

dhcpd domain ca.priv

!

dhcpd address 10.15.2.10-10.15.2.20 inside

dhcpd enable inside

!

tftp-server inside 10.15.2.60 ASA

group-policy vpn internal

group-policy vpn attributes

dns-server value 10.15.1.60

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-SplitT-RemotE

username xxxx

vpn-simultaneous-logins 0

username hotel password YjfZM08Zw6m4BWFa encrypted

username hotel attributes

vpn-filter value hotel

tunnel-group 88.116.109.xxx type ipsec-l2l

tunnel-group 88.116.109.xxx ipsec-attributes

pre-shared-key qxxxxxxxx

tunnel-group ProcRemotE type ipsec-ra

tunnel-group ProcRemotE general-attributes

address-pool canti-pool

default-group-policy vpn

tunnel-group ProcRemotE ipsec-attributes

pre-shared-key @m35@d5KuW5idH!:!@procacci!

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:8ee2aad25429bdf747fd78f08f91ec80

: end

ATM I dont have Screenshots from the RV config. For that I have to change it with the ASA on the Main Site. Maybe I can post this this week.

Thank you for your help

Chris

0 Helpful
Customers Also Viewed These Support Documents