Solved: ASA blocks traffic for some VPN ip

zdenek.roub · ‎05-15-2013

Hello,

I would like to ask you if you've seen this problem.

In our company we use ASA 5550 as a VPN server (failover pair, FW 8.2(5)). Long time we used Cisco VPN client (easyVPN) only and some time ago we started to use L2TP/IPsec VPN from Windows clients.

From this time we can see strange behavior. Some ip addreses (we use ipv4 only) from local VPN ip pool are getting unusable for clients. When client gets this ip address the traffic from client to intranet is ok but the traffic from intranet to the client is blocked. This behavior affect both L2TP/IPsec and easyVPN clients with this ip address.

The packet trace shows that the traffic will be blocked because implicit deny ACL but ACL for the connected user is created:

Phase: 10

Type: ACCESS-LIST

Subtype: vpn-user

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x23cb7fe0, priority=11, domain=vpn-user, deny=true

hits=184981746, user_data=0x1db7ca40, filter_id=0x0(-implicit deny-), protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

When the same client gets "normal" ip address packet trace shows:

Phase: 10

Type: ACCESS-LIST

Subtype: vpn-user

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x2b59b200, priority=12, domain=vpn-user, deny=false

hits=7, user_data=0x1db0c6c0, filter_id=0x159(AAA-user-username-65C49A0F), protocol=0

src ip=10.0.0.0, mask=255.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0

We use RADIUS for authentication and ACL. Failover to the standby ASA solves the problem but this terminates all L2TP/IPsec VPN connections.

We use Cisco Anyconnect VPN too and when Anyconnect client gets this „strange“ ip address he can communicate normally without problems. It looks like that this problem is related to IPsec.

Do you have any recommendation how to discover why ASA uses -implicit deny- instead of user ACL?

Thank you

edatlas · ‎09-12-2013

As I said, I had the same problem.

Cisco Support Team checked my config, and didn't see any wrong configuration, but agreed that the firewall was dropping the traffic from ASA to Client.

Their recommandation : Upgrade OS (I was in 8.4.5)

I'm now in 9.1.2 and the problem is gone.

All previous "bas" IP Addresses are usable now.

Regards,

View solution in original post

edatlas · ‎08-30-2013

We have same problem here for some distinct partner. After some days/weeks I have to change the possible IP range in there local IP Pool so they can work. Seems the IPs get "unusable", incomming traffic is OK, but no outgoing.

Packet Tracer reveal same as you :

Type -

ACCESS-LIST

Action -

DROP

I have opened a support case.

And in the meanwhile I have to change the IPs in the Pool each time clients can't work....

Santhosha Shetty · ‎08-30-2013

Hi,

Could you please collect the following:

Detailed complete packet-tracer output for non-working traffic:

sh vpn-sessiondb detail

sh asp table classify crypto

Thanks,

Shetty

zdenek.roub · ‎09-02-2013

Hello Shetty,

requested informations are in the attachment.

Thanks,

Zdenek

Santhosha Shetty · ‎09-02-2013

Hi,

I see you have not sent complete output!! :-)..

Interface outside:

in id=0x2cec2fc8, priority=69, domain=ipsec-tunnel-flow, deny=false

hits=0, user_data=0x102401ac, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.4.217.173, mask=255.255.255.255, port=0

dst ip=10.0.0.0, mask=255.0.0.0, port=0, dscp=0x0

out id=0x2d7a95f0, priority=70, domain=encrypt, deny=false

hits=0, user_data=0x1023f954, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip=10.0.0.0, mask=255.0.0.0, port=0

dst ip=10.4.217.173, mask=255.255.255.255, port=0, dscp=0x0

As you can see from above entry, there are no hitcounts increasing, I believe the fialing traffic is is being dropped/denied by another matching duplicate rule which might have been placed above this rule. If you could pasted the complete output of "sh asp table classify crypto" we can try and find which is the entry causin problem for this traffic.

I would like you to test the same, by using different IP pools for easy-vpn and l2tp clients, if thats feasible.

--Thanks,

Shetty

zdenek.roub · ‎09-12-2013

Hello Shetty,

thank you for your offer, I sent only entries related to affected ip address, there wasn't another duplicate entry to them.

I'm sorry but I can't send you complete output because there are some sensitive informations in it and I'm not authorized to public them. It has several thousend lines and it would be big work to anonymize these informations.

We have only one ip pool for all types of VPN. These problems started when we configured l2tp/ipsec VPN so I believe that ips in ip pool for easy-vpn would stay „undamaged“ (we used „easy-vpn only“ configuration for several years without problems).

I found two types of „damaged“ ip adresses. In the first case the data come from client to intranet but in the oposite direction they don’t (attachement case_1.txt). There are duplicate rules in “show as table…” as you expected. In the second case no data come from client to intranet (attachement case_2.txt).

Thanks,

Zdenek

edatlas · ‎09-12-2013

As I said, I had the same problem.

Cisco Support Team checked my config, and didn't see any wrong configuration, but agreed that the firewall was dropping the traffic from ASA to Client.

Their recommandation : Upgrade OS (I was in 8.4.5)

I'm now in 9.1.2 and the problem is gone.

All previous "bas" IP Addresses are usable now.

Regards,

zdenek.roub · ‎09-16-2013

Hello edatlas,

thank you for information that FW 9.1.2 solves the problem. We will upgrade too.

Zdenek