02-08-2018 07:42 AM - edited 03-08-2019 01:46 PM
Having an issue with a site to site tunnel. The tunnel is up and I can ping and ssh to swtiches from site A to site B, but I can't see anything else on the subnet of site B. Also I can't ping back to site A at all from site B.
When I do a traceroute back to site A from a host on site B the packet gets routed to the outside interface without hitting the tunnel. I'm thinking this is an ACL/Cryptomap problem but so far none of my changes have had any impact.
On site A the subnet is connected directly by a subinterface. But on site B the subnet is reached through a routed interace, which hits a layer 3 switch with a few vlans on it.
Thoughts ?
Cheers,
Joe
Solved! Go to Solution.
02-08-2018 02:08 PM
The devices on the 10.17.88.0/24 network should use the L3 switches VLAN 88 SVI as the default gateway. From your output I believe that this IP address is 10.17.88.2
Can you try and ping site A 10.10.88.155 from the Site B L3 switch as follows and let me know if the ping is successful?
ping 10.10.88.155 source vlan 88
02-08-2018 08:16 AM
Hi,
Have you checked that traffic between site A and site B is being exempt from NAT as NAT can cause similar issues to what you have described? You can you provide your configs?
Will
02-08-2018 09:19 AM
Hi Will,
Thanks for the reply. Both sides are NAT exempt. It's odd that i can get to all the switches at site B from site A. And those switches can ping devices on the vlan. What part of the config would be most helpful ?
02-08-2018 09:38 AM
That is odd. Can you try and initiate a connection from a device on site B to a device on site A and check the output of 'show crypto ipsec sa' on site B to see if the encrypted packets are increasing or not?
02-08-2018 10:47 AM
So would it be a routing issue on site B on the layer 3 switch. It looks like the packets aren't going back through the tunnel, looks like they're just getting sent to the outside interface.
02-08-2018 10:52 AM
Output: Packets are increasing but can't tell if its in relation to site A devices trying to connect or my pings from site B
#pkts encaps: 1407, #pkts encrypt: 1407, #pkts digest: 1407
#pkts decaps: 1803, #pkts decrypt: 1803, #pkts verify: 1803
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1407, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
02-08-2018 11:15 AM
Can you post the crypto config, routing table and NAT config from site B? Can you also confirm the IP address of a device located at site B and at site A that are failing to communicate?
02-08-2018 11:26 AM
interface Port-channel1
lacp max-bundle 8
port-channel load-balance src-dst-ip-port
nameif inside
security-level 100
ip address 10.17.1.1 255.255.255.252
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Env-net
subnet 10.10.88.0 255.255.255.0
description F Security Lan
object network NETWORK_OBJ_10.17.88.0_24
subnet 10.17.88.0 255.255.255.0
object network S_Lan
subnet 10.17.88.0 255.255.255.0
object network H_Data
subnet 10.17.120.0 255.255.255.0
object network vlan120
subnet 10.17.120.0 255.255.255.0
access-list Lan_Access standard permit 10.17.120.0 255.255.255.0
access-list Lan_Access standard permit 10.17.88.0 255.255.255.0
access-list Outside_cryptomap_1 extended permit ip 10.17.88.0 255.255.255.0 object E-net
access-list Outside_access_in extended permit icmp any4 any
access-list E-net_cryptomap extended permit ip object S object E-net inactive
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu Outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any Outside
asdm image disk0:/asdm-7221.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,Outside) source dynamic H_Data interface dns
nat (Outside,inside) source static E-net E-net destination static S_Lan S_Lan no-proxy-arp route-lookup inactive
nat (inside,Outside) source static S_Lan S_Lan destination static E-net E-net no-proxy-arp route-lookup
nat (inside,Outside) source static NETWORK_OBJ_10.17.88.0_24 NETWORK_OBJ_10.17.88.0_24 destination static E-net E-net no-proxy-arp route-lookup inactive
!
nat (inside,Outside) after-auto source dynamic any interface
access-group Outside_access_in in interface Outside
route Outside 0.0.0.0 0.0.0.0 1.9.16.11 1
route inside 10.17.88.0 255.255.255.0 10.17.1.2 1
route inside 10.17.120.0 255.255.255.0 10.17.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa authentication login-history
http server enable
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 1 match address Outside_cryptomap_1
crypto map Outside_map 1 set pfs group5
crypto map Outside_map 1 set peer 7.1.3.1
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-256-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=esw01-BentlyHeritageLLC
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 2
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside client-services port 443
crypto ikev2 enable inside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable Outside
crypto ikev1 enable inside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 Outside
webvpn
enable Outside
anyconnect image disk0:/anyconnect-macos-4.5.01044-webdeploy-k9.pkg 1
anyconnect profiles Heritage_client_profile disk0:/Heritage_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_Heritage internal
group-policy GroupPolicy_Heritage attributes
wins-server none
dns-server none
vpn-tunnel-protocol ikev2 ssl-client
default-domain value bentlyheritage.com
split-tunnel-all-dns disable
webvpn
anyconnect profiles value Heritage_client_profile type user
group-policy GroupPolicy_7.1.3.1 internal
group-policy GroupPolicy_7.1.3.1 attributes
vpn-tunnel-protocol ikev1
dynamic-access-policy-record DfltAccessPolicy
tunnel-group Her type remote-access
tunnel-group Her general-attributes
address-pool Vpn
default-group-policy GroupPolicy_Heritage
tunnel-group Heritage webvpn-attributes
group-alias Heritage enable
tunnel-group 7.1.3.1 type ipsec-l2l
tunnel-group 7.1.3.1 general-attributes
default-group-policy GroupPolicy_7.1.3.1
tunnel-group 7.1.3.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a70f343304ea6d71970b853c7967324d
: end
02-08-2018 11:29 AM
So Site A can ping only switches at 10.17.88.2-.6 nothing else on the subnet.
Site B can't ping host 10.10.88.155 or anything else on subnet.
02-08-2018 12:49 PM
Hi,
I have checked and your ASA config looks good. The routing is correct and traffic from 10.17.88.0/24 to 10.10.88.0/24 is exempt from NAT so it should match the crypto map and be encrypted over the tunnel.
Can you check and verify that the Site B switches are configured to use the L3 switch as the default gateway and that the L3 switch has a route to 10.10.88.0/24 with a next-hop IP address of the ASA inside interface 10.17.1.1?
Also can you confirm that when you send a ping from one of the Site B switches to 10.10.88.0/24 that the traffic is sourced from a 10.17.88.0/24 IP address and no other IP address that maybe configured on the switch?
02-08-2018 01:52 PM
So I've tried the gateway as the svi and the interface 10.17.1.2. didn't seem to make a difference. here's the switch's routing table. Am I missing a route here ? And is it best to use the svi and let the switch route it to 10.17.1.2 on to 10.17.1.1 ?
network 10.17.88.0 255.255.255.0
default-router 10.17.1.2
Gateway of last resort is 10.17.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.17.1.1
10.0.0.0/8 is variably subnetted, 12 subnets, 3 masks
C 10.17.1.0/30 is directly connected, Port-channel1
L 10.17.1.2/32 is directly connected, Port-channel1
C 10.17.40.0/24 is directly connected, Vlan40
L 10.17.40.2/32 is directly connected, Vlan40
C 10.17.80.0/24 is directly connected, Vlan80
L 10.17.80.2/32 is directly connected, Vlan80
C 10.17.88.0/24 is directly connected, Vlan88
L 10.17.88.2/32 is directly connected, Vlan88
C 10.17.120.0/24 is directly connected, Vlan120
L 10.17.120.2/32 is directly connected, Vlan120
C 10.17.160.0/24 is directly connected, Vlan160
L 10.17.160.2/32 is directly connected, Vlan160
02-08-2018 02:08 PM
The devices on the 10.17.88.0/24 network should use the L3 switches VLAN 88 SVI as the default gateway. From your output I believe that this IP address is 10.17.88.2
Can you try and ping site A 10.10.88.155 from the Site B L3 switch as follows and let me know if the ping is successful?
ping 10.10.88.155 source vlan 88
02-08-2018 02:12 PM
Thank you for walking through this with me. Problem was a gateway misconfig on hosts, they had their gateway configured to the access layer switch.
Cheers!
Joe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide