Hi Will, 

Thanks for the reply. Both sides are NAT exempt. It's odd that i can get to all the switches at site B from site A. And those switches can ping devices on the vlan. What part of the config would be most helpful ?

That is odd. Can you try and initiate a connection from a device on site B to a device on site A and check the output of 'show crypto ipsec sa' on site B to see if the encrypted packets are increasing or not?

So would it be a routing issue on site B on the layer 3 switch. It looks like the packets aren't going back through the tunnel, looks like they're just getting sent to the outside interface. 

Output: Packets are increasing but can't tell if its in relation to site A devices trying to connect or my pings from site B

#pkts encaps: 1407, #pkts encrypt: 1407, #pkts digest: 1407
#pkts decaps: 1803, #pkts decrypt: 1803, #pkts verify: 1803
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1407, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

Can you post the crypto config, routing table and NAT config from site B? Can you also confirm the IP address of a device located at site B and at site A that are failing to communicate?

interface Port-channel1

 lacp max-bundle 8

 port-channel load-balance src-dst-ip-port

 nameif inside

 security-level 100

 ip address 10.17.1.1 255.255.255.252

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network Env-net

 subnet 10.10.88.0 255.255.255.0

 description F Security Lan

object network NETWORK_OBJ_10.17.88.0_24

 subnet 10.17.88.0 255.255.255.0

object network S_Lan

 subnet 10.17.88.0 255.255.255.0

object network H_Data

 subnet 10.17.120.0 255.255.255.0

object network vlan120

 subnet 10.17.120.0 255.255.255.0

access-list Lan_Access standard permit 10.17.120.0 255.255.255.0

access-list Lan_Access standard permit 10.17.88.0 255.255.255.0

access-list Outside_cryptomap_1 extended permit ip 10.17.88.0 255.255.255.0 object E-net

access-list Outside_access_in extended permit icmp any4 any

access-list E-net_cryptomap extended permit ip object S object E-net inactive

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu Outside 1500

mtu inside 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

icmp permit any Outside

asdm image disk0:/asdm-7221.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

nat (inside,Outside) source dynamic H_Data interface dns

nat (Outside,inside) source static E-net E-net destination static S_Lan S_Lan no-proxy-arp route-lookup inactive

nat (inside,Outside) source static S_Lan S_Lan destination static E-net E-net no-proxy-arp route-lookup

nat (inside,Outside) source static NETWORK_OBJ_10.17.88.0_24 NETWORK_OBJ_10.17.88.0_24 destination static E-net E-net no-proxy-arp route-lookup inactive

!

nat (inside,Outside) after-auto source dynamic any interface

access-group Outside_access_in in interface Outside

route Outside 0.0.0.0 0.0.0.0 1.9.16.11 1

route inside 10.17.88.0 255.255.255.0 10.17.1.2 1

route inside 10.17.120.0 255.255.255.0 10.17.1.2 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authorization command LOCAL

aaa authentication login-history

http server enable

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal DES

 protocol esp encryption des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

 protocol esp encryption 3des

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

 protocol esp encryption aes

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

 protocol esp encryption aes-192

 protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

 protocol esp encryption aes-256

 protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map Outside_map 1 match address Outside_cryptomap_1

crypto map Outside_map 1 set pfs group5

crypto map Outside_map 1 set peer 7.1.3.1

crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-256-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto ca trustpoint ASDM_TrustPoint0

 enrollment self

 subject-name CN=esw01-BentlyHeritageLLC

 crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint0

crypto ikev2 policy 1

 encryption aes-256

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 2

 encryption 3des

 integrity sha

 group 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 10

 encryption aes-192

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 20

 encryption aes

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 30

 encryption 3des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 policy 40

 encryption des

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 86400

crypto ikev2 enable Outside client-services port 443

crypto ikev2 enable inside

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

crypto ikev1 enable Outside

crypto ikev1 enable inside

crypto ikev1 policy 10

 authentication pre-share

 encryption aes

 hash sha

 group 5

 lifetime 86400

crypto ikev1 policy 20

 authentication rsa-sig

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 30

 authentication pre-share

 encryption aes-256

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 50

 authentication rsa-sig

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 60

 authentication pre-share

 encryption aes-192

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 80

 authentication rsa-sig

 encryption aes

 hash sha

 group 2

 lifetime 86400

crypto ikev1 policy 90

 authentication pre-share

 encryption aes

 hash sha

 group 2

 lifetime 86400

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 Outside

webvpn

 enable Outside

 anyconnect image disk0:/anyconnect-macos-4.5.01044-webdeploy-k9.pkg 1

 anyconnect profiles Heritage_client_profile disk0:/Heritage_client_profile.xml

 anyconnect enable

 tunnel-group-list enable

 cache

  disable

 error-recovery disable

group-policy DfltGrpPolicy attributes

 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

group-policy GroupPolicy_Heritage internal

group-policy GroupPolicy_Heritage attributes

 wins-server none

 dns-server none

 vpn-tunnel-protocol ikev2 ssl-client

 default-domain value bentlyheritage.com

 split-tunnel-all-dns disable

 webvpn

  anyconnect profiles value Heritage_client_profile type user

group-policy GroupPolicy_7.1.3.1 internal

group-policy GroupPolicy_7.1.3.1 attributes

 vpn-tunnel-protocol ikev1

dynamic-access-policy-record DfltAccessPolicy

tunnel-group Her type remote-access

tunnel-group Her general-attributes

 address-pool Vpn

 default-group-policy GroupPolicy_Heritage

tunnel-group Heritage webvpn-attributes

 group-alias Heritage enable

tunnel-group 7.1.3.1 type ipsec-l2l

tunnel-group 7.1.3.1 general-attributes

 default-group-policy GroupPolicy_7.1.3.1

tunnel-group 7.1.3.1 ipsec-attributes

 ikev1 pre-shared-key *****

 ikev2 remote-authentication pre-shared-key *****

 ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

 parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map global_policy

 class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:a70f343304ea6d71970b853c7967324d

: end

So Site A can ping only switches at 10.17.88.2-.6 nothing else on the subnet.

Site B can't ping host 10.10.88.155 or anything else on subnet. 

Hi,

I have checked and your ASA config looks good. The routing is correct and traffic from 10.17.88.0/24 to 10.10.88.0/24 is exempt from NAT so it should match the crypto map and be encrypted over the tunnel.

Can you check and verify that the Site B switches are configured to use the L3 switch as the default gateway and that the L3 switch has a route to 10.10.88.0/24 with a next-hop IP address of the ASA inside interface 10.17.1.1?

Also can you confirm that when you send a ping from one of the Site B switches to 10.10.88.0/24 that the traffic is sourced from a 10.17.88.0/24 IP address and no other IP address that maybe configured on the switch?

So I've tried the gateway as the svi and the interface 10.17.1.2. didn't seem to make a difference. here's the switch's routing table. Am I missing a route here ? And is it best to use the svi and let the switch route it to 10.17.1.2 on to 10.17.1.1 ?

network 10.17.88.0 255.255.255.0

default-router 10.17.1.2

Gateway of last resort is 10.17.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.17.1.1

      10.0.0.0/8 is variably subnetted, 12 subnets, 3 masks

C        10.17.1.0/30 is directly connected, Port-channel1

L        10.17.1.2/32 is directly connected, Port-channel1

C        10.17.40.0/24 is directly connected, Vlan40

L        10.17.40.2/32 is directly connected, Vlan40

C        10.17.80.0/24 is directly connected, Vlan80

L        10.17.80.2/32 is directly connected, Vlan80

C        10.17.88.0/24 is directly connected, Vlan88

L        10.17.88.2/32 is directly connected, Vlan88

C        10.17.120.0/24 is directly connected, Vlan120

L        10.17.120.2/32 is directly connected, Vlan120

C        10.17.160.0/24 is directly connected, Vlan160

L        10.17.160.2/32 is directly connected, Vlan160

Thank you for walking through this with me. Problem was a gateway misconfig on hosts, they had their gateway configured to the access layer switch.

Cheers!

Joe