1811 Router site-to-site to ASA - Up but no traffic passing - Page 2

dslewitzke · ‎05-16-2013

Hello everyone, I've been rackin my brain on this one and cant seem to figure it out. I am setting up a site to site tunnel between an 1811 router and a 5505 ASA. I currently have several tunnels on the ASA but to other security appliances such as ASA's or sonicwalls. I have gotten the tunnel up, Phase 1 and Phase 2 both complete successfully. However I can not pass traffic across the tunnel. I see on the ASA Bytes Tx increases with attempts but Bytes Rx never moves. Same thing on the router, #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 - #pkts decaps: 453, #pkts decrypt: 453, #pkts verify: 453

Im sure it is somethin on the router end but cant figure it out. here is the config I have used:

1811 Router:

crypto isakmp policy 2

encr 3des

authentication pre-share

crypto isakmp key Abc123!@ address XXX.XXX.XXX.XXX

crypto ipsec transform-set Denver esp-3des esp-sha-hmac

crypto map SMD_CMAP_1 1 ipsec-isakmp

set peer XXX.XXX.XXX.XXX

set transform-set Denver

match address 120

interface FastEthernet1

ip address XXX.XXX.XXX.XX 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SMD_CMAP_1

ip nat inside source route-map nonat interface FastEthernet1 overload

access-list 115 deny ip 10.9.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 115 permit ip 10.9.1.0 0.0.0.255 any

access-list 120 permit ip 10.9.1.0 0.0.0.255 10.1.1.0 0.0.0.255

route-map nonat permit 10

match ip address 115

ASA 5510:

object network OKL

subnet 10.9.1.0 255.255.255.0

access-list Outside_cryptomap_6 extended permit ip 10.1.1.0 255.255.255.0 object OKL

nat (inside,any) source static obj-10.1.1.0 obj-10.1.1.0 destination static OKL OKL

crypto ipsec transform-set OKL esp-3des esp-sha-hmac

crypto map IPSECMAP 7 set peer XXX.XXX.XXX.XXX

crypto map IPSECMAP 7 set transform-set OKL

crypto map IPSECMAP 7 set reverse-route

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime none

tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l

tunnel-group XXX.XXX.XXX.XXX general-attributes

default-group-policy VPNGrpPolicy

tunnel-group XXX.XXX.XXX.XXX ipsec-attributes

pre-shared-key *****

Please help me figure this one out!!!!

Any help is much appreciated.

shine pothen · ‎05-17-2013

this is strange pinging is happening and no decaps happening strange !!!!!!

here i see some poblem. once diong ping

pri/act/dscasa001# ping inside 10.1.1.14

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.14, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

----------------------------------

but the other ping

pri/act/dscasa001# ping 10.1.1.14

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.14, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms -->why is it 1ms?

this ip address you are pinging belongs to the remote site right which is on the router end 10.1.1.14.

shine pothen · ‎05-17-2013

now show the outout for the command

sh cry ipsec sa

dslewitzke · ‎05-17-2013

oops. sorry...

pri/act/dscasa001# ping inside 10.1.1.14

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.14, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

pri/act/dscasa001# sh crypto ipsec sa peer XXX.XXX.XXX.36

peer address: XXX.XXX.XXX.36

Crypto map tag: IPSECMAP, seq num: 7, local addr: XXX.XXX.XXX.68

access-list Outside_cryptomap_6 extended permit ip 10.1.1.0 255.255.255.0 10.9.1.0 255.255.255.0

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.9.1.0/255.255.255.0/0/0)

current_peer: XXX.XXX.XXX.36

#pkts encaps: 80, #pkts encrypt: 80, #pkts digest: 80

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 80, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: XXX.XXX.XXX.68/0, remote crypto endpt.: XXX.XXX.XXX.36/0

path mtu 1478, ipsec overhead 58, media mtu 1500

current outbound spi: C2E09BFB

current inbound spi : 792C3ECA

inbound esp sas:

spi: 0x792C3ECA (2032942794)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 31178752, crypto-map: IPSECMAP

sa timing: remaining key lifetime (kB/sec): (4374000/3013)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0xC2E09BFB (3269499899)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 31178752, crypto-map: IPSECMAP

sa timing: remaining key lifetime (kB/sec): (4373995/3013)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

shine pothen · ‎05-17-2013

try to ping some ip in 10.9.1.0 network from the ASA

ping inside 10.9.1.X any live ip

and please paste the output and crypto decaps and encaps output

shine pothen · ‎05-17-2013

run the packet tracer once more because what u ran before was not right

first ip should be source and then destination

"packet-tracer input inside icmp 10.1.1.14 0 8 10.9.1.20"

now here the source is 10.1.1.14 and the destination is 10.9.1.20

dslewitzke · ‎05-17-2013

pri/act/dscasa001# packet-tracer input inside icmp 10.1.1.14 0 8 10.9.1.20

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 10.9.1.20 255.255.255.255 Outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

inspect icmp

service-policy global_policy global

Additional Information:

Phase: 4

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,any) source static obj-10.1.1.0 obj-10.1.1.0 destination static OKL OKL

Additional Information:

Static translate 10.1.1.14/0 to 10.1.1.14/0

Phase: 7

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 8

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 12369145, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: allow

shine pothen · ‎05-17-2013

show the output for

sh cry isa sa

sh cry ipsec sa

dslewitzke · ‎05-17-2013

pri/act/dscasa001# ping 10.9.1.20

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.9.1.20, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

pri/act/dscasa001# sh crypto ipsec sa peer xxx.xxx.xxx.36

peer address: xxx.xxx.xxx.36

Crypto map tag: IPSECMAP, seq num: 7, local addr: xxx.xxx.xxx.68

access-list Outside_cryptomap_6 extended permit ip 10.1.1.0 255.255.255.0 10.9.1.0 255.255.255.0

local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.9.1.0/255.255.255.0/0/0)

current_peer: xxx.xxx.xxx.36

#pkts encaps: 383, #pkts encrypt: 383, #pkts digest: 383

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 383, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: xxx.xxx.xxx.68/0, remote crypto endpt.: xxx.xxx.xxx.36/0

path mtu 1478, ipsec overhead 58, media mtu 1500

current outbound spi: C2E09BFB

current inbound spi : 792C3ECA

inbound esp sas:

spi: 0x792C3ECA (2032942794)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 31178752, crypto-map: IPSECMAP

sa timing: remaining key lifetime (kB/sec): (4374000/1362)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0xC2E09BFB (3269499899)

transform: esp-3des esp-sha-hmac no compression

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 31178752, crypto-map: IPSECMAP

sa timing: remaining key lifetime (kB/sec): (4373977/1362)

IV size: 8 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

dslewitzke · ‎05-17-2013

#sh cr isa sa

6 IKE Peer: 41.215.1.36

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

shine pothen · ‎05-17-2013

try to ping

ping inside 10.9.1.20

if still not pinging then try to clear the crypto

clear crypto isa sa peer 41.215.1.36 and check too

otherwise you need to rebulid the VPN tunnel

dslewitzke · ‎05-17-2013

I tried the ping after clearing the crypto isakmp and still the same result. do you think rebuilding the tunnel will help? is there something that should be done differently?

shine pothen · ‎05-17-2013

if still no traffic going through after giving the command

ping inside 10.9.1.20 request timed out.... then decaps or ecaps will not work.

try to rebulid tunnel and when rebuliding increase the order of the crypto map

and then try to ping inside 10.9.1.20 and run the packet-tracer too.and lets see what is happening

dslewitzke · ‎05-17-2013

I have rebuilt the tunnel and still no luck. I just want to make sure we are on the same page...

ASA local network is 10.1.1.0/24

1811 Router local network is 10.9.1.0/24

with the following config the tunnel comes up fine. it looks like traffic will leave from the ASA because the Bytes Tx counter will increase. but is not receiving anything back from the router because the Bytes Rx always shows 0. the router seems to be receiving the traffic from the ASA because the pkts decaps will increase, but is not sending anything back to the ASA because the pkts encaps counter stays at 0.

here is the config I just used:

1811 Router:

crypto isakmp policy 1

encr 3des

group 2

hash sha

lifetime 86400

authentication pre-share

crypto isakmp key Abc123!@ address xxx.xxx.xxx.68

crypto ipsec transform-set Denver esp-3des esp-sha-hmac

crypto map SMD_CMAP_1 1 ipsec-isakmp

set peer xxx.xxx.xxx

set transform-set Denver

match address 120

interface FastEthernet1

ip address xxx.xxx.xxx 255.255.255.248

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SMD_CMAP_1

ip nat inside source route-map nonat interface FastEthernet1 overload

access-list 115 deny ip 10.9.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 115 permit ip 10.9.1.0 0.0.0.255 any

access-list 120 permit ip 10.9.1.0 0.0.0.255 10.1.1.0 0.0.0.255

route-map nonat permit 10

match ip address 115

ASA 5510:

object network OKL

subnet 10.9.1.0 255.255.255.0

access-list Outside_cryptomap_6 extended permit ip 10.1.1.0 255.255.255.0 object OKL

nat (inside,any) source static obj-10.1.1.0 obj-10.1.1.0 destination static OKL OKL

crypto ipsec transform-set OKL esp-3des esp-sha-hmac

crypto map IPSECMAP 7 match address Outside_cryptomap_6

crypto map IPSECMAP 7 set peer xxx.xxx.xxx

crypto map IPSECMAP 7 set transform-set OKL

crypto map IPSECMAP 7 set reverse-route

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime none

tunnel-group xxx.xxx.xxx type ipsec-l2l

tunnel-group xxx.xxx.xxx general-attributes

default-group-policy VPNGrpPolicy

tunnel-group xxx.xxx.xxx ipsec-attributes

pre-shared-key Abc123!@

What am I dont wrong????

dslewitzke · ‎05-20-2013

Ah! found something,

this is the inside interface.......

description $FW_INSIDE$$ES_LAN$

ip address XXX.XXX.XXX.XXX 255.255.255.248 secondary

ip address 10.9.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

If I remove the IP NAT INSIDE command the traffic works..... however when I remove it, the LAN loses internet connectivity. is there any way around this?