cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2317
Views
10
Helpful
7
Replies
Highlighted
Beginner

ASA blocks traffic for some VPN ip

Hello,

I would like to ask you if you've seen this problem.

In our company we use ASA 5550 as a VPN server (failover pair, FW 8.2(5)). Long time we used Cisco VPN client (easyVPN) only and some time ago we started to use L2TP/IPsec VPN from Windows clients.

From this time we can see strange behavior. Some ip addreses (we use ipv4 only) from local VPN ip pool are getting unusable for clients. When client gets this ip address the traffic from client to intranet is ok but the traffic from intranet to the client is blocked. This behavior affect both L2TP/IPsec and easyVPN clients with this ip address.

The packet trace shows that the traffic will be blocked because implicit deny ACL but ACL for the connected user is created:

Phase: 10

Type: ACCESS-LIST

Subtype: vpn-user

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x23cb7fe0, priority=11, domain=vpn-user, deny=true

                hits=184981746, user_data=0x1db7ca40, filter_id=0x0(-implicit deny-), protocol=0

                src ip=0.0.0.0, mask=0.0.0.0, port=0

                dst ip=0.0.0.0, mask=0.0.0.0, port=0

When the same client gets "normal" ip address packet trace shows:

Phase: 10

Type: ACCESS-LIST

Subtype: vpn-user

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x2b59b200, priority=12, domain=vpn-user, deny=false

                hits=7, user_data=0x1db0c6c0, filter_id=0x159(AAA-user-username-65C49A0F), protocol=0

                src ip=10.0.0.0, mask=255.0.0.0, port=0

                dst ip=0.0.0.0, mask=0.0.0.0, port=0

We use RADIUS for authentication and ACL. Failover to the standby ASA solves the problem but this terminates all L2TP/IPsec VPN connections.

We use Cisco Anyconnect VPN too and when Anyconnect client gets this „strange“ ip address he can communicate normally without problems. It looks like that this problem is related to IPsec.

Do you have any recommendation how to discover why ASA uses -implicit deny- instead of user ACL?

Thank you

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: ASA blocks traffic for some VPN ip

As I said, I had the same problem.

Cisco Support Team checked my config, and didn't see any wrong configuration, but agreed that the firewall was dropping the traffic from ASA to Client.

Their recommandation : Upgrade OS (I was in 8.4.5)

I'm now in 9.1.2 and the problem is gone.

All previous "bas" IP Addresses are usable now.

Regards,

7 REPLIES 7
Beginner

ASA blocks traffic for some VPN ip

We have same problem here for some distinct partner. After some days/weeks I have to change the possible IP range in there local IP Pool so they can work. Seems the IPs get "unusable", incomming traffic is OK, but no outgoing.

Packet Tracer reveal same as you :

Type - ACCESS-LIST
Action - DROP

I have opened a support case.

And in the meanwhile I have to change the IPs in the Pool each time clients can't work....

Cisco Employee

ASA blocks traffic for some VPN ip

Hi,

Could you please collect the following:

Detailed complete packet-tracer output for non-working traffic:

sh vpn-sessiondb detail

sh asp table classify crypto

Thanks,

Shetty

Beginner

Re: ASA blocks traffic for some VPN ip

Hello Shetty,

requested informations are in the attachment.

Thanks,

Zdenek

Cisco Employee

ASA blocks traffic for some VPN ip

Hi,

I see you have not sent complete output!! :-)..

Interface outside:

in  id=0x2cec2fc8, priority=69, domain=ipsec-tunnel-flow, deny=false

        hits=0, user_data=0x102401ac, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=10.4.217.173, mask=255.255.255.255, port=0

        dst ip=10.0.0.0, mask=255.0.0.0, port=0, dscp=0x0

out id=0x2d7a95f0, priority=70, domain=encrypt, deny=false

        hits=0, user_data=0x1023f954, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=10.0.0.0, mask=255.0.0.0, port=0

        dst ip=10.4.217.173, mask=255.255.255.255, port=0, dscp=0x0

As you can see from above entry, there are no hitcounts increasing, I believe the fialing traffic is is being dropped/denied by another matching duplicate rule which might have been placed above this rule. If you could pasted the complete output of "sh asp table classify crypto" we can try and find which is the entry causin problem for this traffic.

I would like you to test the same, by using different IP pools for easy-vpn and l2tp clients, if thats feasible.

--Thanks,

Shetty

Beginner

Re: ASA blocks traffic for some VPN ip

Hello Shetty,

thank you for your offer, I sent only entries related to affected ip address, there wasn't another duplicate entry to them.

I'm sorry but I can't send you complete output because there are some sensitive informations in it and I'm not authorized to public them. It has several thousend lines and it would be big work to anonymize these informations.

We have only one ip pool for all types of VPN. These problems started when we configured l2tp/ipsec VPN so I believe that ips in ip pool for easy-vpn would stay „undamaged“ (we used „easy-vpn only“ configuration for several years without problems).

I found two types of „damaged“ ip adresses. In the first case the data come from client to intranet but in the oposite direction they don’t (attachement case_1.txt). There are duplicate rules in “show as table…” as you expected. In the second case no data come from client to intranet (attachement case_2.txt).

Thanks,

Zdenek

Beginner

Re: ASA blocks traffic for some VPN ip

As I said, I had the same problem.

Cisco Support Team checked my config, and didn't see any wrong configuration, but agreed that the firewall was dropping the traffic from ASA to Client.

Their recommandation : Upgrade OS (I was in 8.4.5)

I'm now in 9.1.2 and the problem is gone.

All previous "bas" IP Addresses are usable now.

Regards,

Beginner

Re: ASA blocks traffic for some VPN ip

Hello edatlas,

thank you for information that FW 9.1.2 solves the problem. We will upgrade too.

Zdenek