cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10882
Views
0
Helpful
15
Replies

Cisco ASA 5512-x L2TP IPSEC vpn tunnel up, ping to devices work, but no other connection.

madismannik
Level 1
Level 1

Hello,

I've successfully configured Cisco ASA 5512-x device. This includes internal networks connection, NAT and almost VPN.


Now the problem is that I can establish VPN tunnel from outside network. I can ping from vpn to inside network devices and vice-versa. I can resolve network names of internal devices and so on. When i try to use Remote desktop access or access to internal webpages, it seems, that everything is restricted or denied.

My config :


interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address g.g.g.i 255.255.255.192
!
interface Redundant5
description Inside Interface
member-interface GigabitEthernet0/2
member-interface GigabitEthernet0/3
nameif Inside
security-level 100
ip address x.x.x.x 255.255.255.0
ipv6 address autoconfig
ipv6 enable
!
ftp mode passive
clock timezone EET 2
dns domain-lookup Inside
dns server-group DefaultDNS
name-server x.x.x.c
name-server x.x.x.y
domain-name MyNet.ee
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_x.y.c.0_24
subnet x.y.c.0 255.255.255.0
object network Gateway
host g.g.g.g
description Gateway address

object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
object-group network MyNet
description MyNet  Internal networks
network-object x.x.x.0 255.255.255.0
network-object k.k.k.0 255.255.255.0
network-object t.t.t.0 255.255.255.0
network-object p.p.p.0 255.255.255.0
network-object pt.pt.pt.0 255.255.255.0

object-group network VPN-network
description VPN Users Network Group
network-object object NETWORK_OBJ_x.y.c.0_24

object-group network DM_INLINE_NETWORK_2
group-object MyNet
group-object VPN-network
object-group service Inside-outside
description Inside-Outside policy for internet access
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq www
service-object tcp destination eq domain
service-object tcp destination eq https
service-object object 7046
service-object object 8008
service-object object MS-DS-SMB
service-object object RDMI-SHO-HTTP
service-object tcp destination eq pop3
service-object tcp destination eq smtp

access-list Inside_access_in extended permit ip object-group VPN-network object-group MyNet
access-list Inside_access_in extended permit ip object-group MyNet object-group VPN-network
access-list Inside_access_in extended permit ip object-group MyNet object-group MyNet
access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group MyNet any
access-list Inside_access_in extended permit ip any object-group MyNet
access-list Inside_access_in extended permit ip any any
access-list global_access extended permit ip any object-group VPN-network
access-list global_access extended permit ip object-group VPN-network any
access-list global_access extended permit object-group Inside-outside any object-group MyNet
access-list global_access extended permit ip any object-group MyNet inactive
access-list global_access extended permit ip any any inactive
access-list ACL_IN extended permit ip object-group MyNet object-group VPN-network
access-list tcp_bypass extended permit tcp x.x.x.0 255.255.255.0 any
access-list tcp_bypass extended permit tcp k.k.k.0 255.255.255.0 any
access-list tcp_bypass extended permit tcp t.t.t.0 255.255.255.0 any
access-list tcp_bypass extended permit tcp p.p.p.0 255.255.255.0 any
access-list tcp_bypass extended permit tcp pt.pt.pt.0 255.255.255.0 any
access-list Inside_access_out extended permit ip any object-group VPN-network
access-list Inside_access_out extended permit ip object-group MyNet object-group MyNet
access-list Inside_access_out extended permit ip object-group MyNet any
access-list Inside_access_out extended permit ip any any
access-list Outside_access_out extended permit ip object-group VPN-network object-group MyNet
access-list Outside_access_out extended permit ip object-group MyNet object-group VPN-network
access-list Outside_access_out extended permit object-group Inside-outside object-group MyNet any
access-list Outside_access_out extended permit ip object-group MyNet any
access-list Outside_access_in extended permit ip object-group MyNet object-group VPN-network
access-list Outside_access_in extended permit ip object-group VPN-network object-group MyNet
access-list Outside_access_in extended permit object-group Inside-outside any object-group MyNet
access-list Outside_access_in extended permit ip any object-group MyNet inactive
access-list Internal-VPN standard permit x.y.c.0 255.255.255.0

ip local pool VPN-Pool x.y.c.50-x.y.c.150

nat (any,any) source static VPN-network VPN-network destination static MyNet MyNet
nat (Inside,any) source static MyNet MyNet destination static MyNet MyNet
!
nat (Inside,Outside) after-auto source dynamic MyNet interface
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
access-group Inside_access_in in interface Inside
access-group Inside_access_out out interface Inside
access-group global_access global

route Outside 0.0.0.0 0.0.0.0 g.g.g.1 1
route Inside k.k.k.0 255.255.255.0 x.x.x.254 1
route Inside t.t.t.0 255.255.255.0 x.x.x.254 1
route Inside p.p.p.0 255.255.255.0 x.x.x.254 1
route Inside pt.pt.pt.0 255.255.255.0 x.x.x.254 1
route Inside 0.0.0.0 0.0.0.0 x.x.x.1 tunneled

dynamic-access-policy-record DfltAccessPolicy
aaa-server UM-Radius protocol radius
aaa-server UM-Radius (Inside) host x.x.x.y
key *****
no user-identity enable
user-identity default-domain LOCAL
no user-identity action mac-address-mismatch remove-user-ip
http server enable

crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES256-SHA1_TRANS ESP-AES128-SHA1_TRANS ESP-AES256-SHA1
crypto dynamic-map DYN_OUTSIDE 10000 set reverse-route
crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE
crypto map MAP_OUTSIDE interface Outside

crypto ikev1 enable Outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1000
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2000
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 3000
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

group-policy EMPLOYEES_L2TP_IPSEC internal
group-policy EMPLOYEES_L2TP_IPSEC attributes
dns-server value x.x.x.y x.x.x.c
vpn-tunnel-protocol l2tp-ipsec
default-domain value MyNet.ee
tunnel-group DefaultRAGroup general-attributes
address-pool (Inside) VPN-Pool
address-pool VPN-Pool
authentication-server-group UM-Radius
authentication-server-group (Inside) UM-Radius
authorization-server-group UM-Radius
accounting-server-group UM-Radius
default-group-policy EMPLOYEES_L2TP_IPSEC
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!

I have been on this issue for few weeks now.
Thanks for advance.

1 Accepted Solution

Accepted Solutions

Hi Madis,

Base on your explaination, you can access some hosts having windows 8 but not some others having windows 7  that are in the same LAN. This straight away point me to believe that  it has nothing to do with configuration nor VPN on both the ASA and  router. Because everything is setup between LAN to LAN subnets, so if  you can access just 1 ip address within that subnet, you should be able  to access everything else on that subnet.

The  security appliance has received a duplicate of a previous Phase 1 or  Phase 2 packet, and will transmit the last message. This message could  indicate a network performance or connectivity issue where the peer is  not receving sent packets in a timely manner.

#

Phase—Phase 1 or 2

#

Action—Retransmitting last packet, or No last packet to transmit.

#

Recommended Action    Verify network performance or connectivity.

You mention that you can't access the server. Can you enable the following:

management-access Inside

and check if you can ping the ASA Inside interface ip address after the above command is added.

If  you can, then it doesn't seem to be a configuration issue. You might  want to check if the server has any firewall enabled that might be  blocking inbound connection from  different subnets. See if you can  access anything else within the same subnet.

Lastly, please share the output of following commands from your ASA:

1. show crypto debug-condition

2. show crypto ipsec df-bit

3. show crypto ipsec fragmentation

4. show crypto ipsec sa

5. show crypto ipsec stats

6. show crypto isakmp stats

7. show crypto isakmp sa

8. show crypto isakmp stats

9. show crypto protocol statistics

Best regards,

Sachin Garg

View solution in original post

15 Replies 15

madismannik
Level 1
Level 1

I identified the problem, but I have no idea how to solve it.


Problem is related to Service-Policy-s. As soon as I disable all service-policys, I can access from VPN network to internal network. As soon as I enable service-policy, VPN connection to internal network is gone.

I am really looking forward to get this working ASAP.

Hi Madis,

I have no experience with L2TP VPN on cisco ASA but I see something that I want to point out that might help out though.

nat (any,any) source static VPN-network VPN-network destination static MyNet MyNet

the any any interface statement might have your ASA confused on how to route traffic. I'll suggest you go

nat (Inside,Outside)  source static VPN-network VPN-network destination static MyNet MyNet

This might help out though but I am not giving a sure guarantee about this. I remember i had a nat problem sometime ago having nat(any,any) I wasn't able to hit anywhere on the internet, not until i had to specify from what source to destination.

Try that and lets see how that goes. Also a packet-tracer output too would help.

Thanks

Teddy

Thank you, for replying. Unfortunatly this did not work.

Just in case, I repost my current config :

: Saved

:

ASA Version 9.1(3)

!

hostname myyr

domain-name MyNet.ee

enable password j65f6SZsn3TSP/30 encrypted

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

names

ip local pool VPN-Pool 192.168.15.50-192.168.15.150

!

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

shutdown

nameif management

security-level 0

ip address 192.168.10.1 255.255.255.0

!

interface Redundant1

member-interface GigabitEthernet0/0

member-interface GigabitEthernet0/1

nameif Outside

security-level 0

ip address 86.54.32.11 255.255.255.192

!

interface Redundant5

description Inside Interface

member-interface GigabitEthernet0/2

member-interface GigabitEthernet0/3

nameif Inside

security-level 100

ip address 192.168.0.1 255.255.255.0

ipv6 address autoconfig

ipv6 enable

!

boot system disk0:/asa913-smp-k8.bin

ftp mode passive

clock timezone EET 2

dns domain-lookup Inside

dns server-group DefaultDNS

name-server 192.168.0.100

name-server 192.168.0.101

domain-name MyNet.ee

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network VPN-Network

subnet 192.168.15.0 255.255.255.0

object network Gateway

host 86.54.32.11

description Gateway address

object network FTP

host 192.168.0.50

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

object-group network MyNet

description MyNet Internal networks

network-object 192.168.0.0 255.255.255.0

network-object 192.168.1.0 255.255.255.0

network-object 192.168.2.0 255.255.255.0

network-object 192.168.3.0 255.255.255.0

network-object 192.168.4.0 255.255.255.0

object-group network DM_INLINE_NETWORK_2

group-object MyNet

object-group service Inside-outside

description Inside-Outside policy for internet access

service-object tcp-udp destination eq domain

service-object tcp-udp destination eq www

service-object tcp destination eq domain

service-object tcp destination eq www

service-object tcp destination eq https

service-object udp destination eq domain

access-list Inside_access_in extended permit ip any4 object VPN-Network

access-list Inside_access_in extended permit ip object VPN-Network any4

access-list Inside_access_in extended permit ip object-group MyNet object-group MyNet

access-list Inside_access_in extended permit ip object-group MyNet any4

access-list Inside_access_out extended permit ip object VPN-Network any4

access-list Inside_access_out extended permit ip any4 object VPN-Network

access-list Inside_access_out extended permit ip object-group MyNet object-group MyNet

access-list Inside_access_out extended permit ip object-group MyNet any4

access-list Internal extended permit ip 192.168.0.0 255.255.255.0 any4

access-list Internal extended permit ip 192.168.1.0 255.255.255.0 any4

access-list Internal extended permit ip 192.168.2.0 255.255.255.0 any4

access-list Internal extended permit ip 192.168.3.0 255.255.255.0 any4

access-list Internal extended permit ip 192.168.4.0 255.255.255.0 any4

access-list Outside_access_in extended permit ip object VPN-Network any4

access-list Outside_access_in extended permit ip any4 object VPN-Network

!

tcp-map Internal

  queue-limit 99 timeout 5

  synack-data allow

  invalid-ack allow

  seq-past-window allow

  tcp-options range 6 7 allow

  tcp-options range 9 255 allow

  no ttl-evasion-protection

  urgent-flag allow

!

tcp-map tcp_bypass

  queue-limit 99 timeout 5

  synack-data allow

  invalid-ack allow

  seq-past-window allow

  tcp-options range 6 7 allow

  tcp-options range 9 255 allow

  no ttl-evasion-protection

  urgent-flag allow

!

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu Outside 1500

mtu Inside 1500

ip audit name Out_Inf info action alarm drop reset

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-715-100.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (Inside,Outside) source static MyNet MyNet destination static VPN-Network VPN-Network no-proxy-arp route-lookup

nat (Outside,Outside) source dynamic VPN-Network interface

nat (Inside,Outside) source dynamic MyNet interface

!

object network FTP

nat (Inside,Outside) static interface service tcp ftp ftp

access-group Outside_access_in in interface Outside

access-group Inside_access_in in interface Inside

access-group Inside_access_out out interface Inside

route Outside 0.0.0.0 0.0.0.0 194.126.100.1 1

route Inside 192.168.1.0 255.255.255.0 192.168.0.254 1

route Inside 192.168.2.0 255.255.255.0 192.168.0.254 1

route Inside 192.168.3.0 255.255.255.0 192.168.0.254 1

route Inside 192.168.4.0 255.255.255.0 192.168.0.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server UM-Radius protocol radius

aaa-server UM-Radius (Inside) host 192.168.0.101

key *****

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 192.168.0.0 255.255.255.0 Inside

http 192.168.10.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac

crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES256-SHA1_TRANS ESP-AES128-SHA1_TRANS ESP-AES256-SHA1

crypto dynamic-map DYN_OUTSIDE 10000 set reverse-route

crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE

crypto map MAP_OUTSIDE interface Outside

crypto ca trustpool policy

crypto ikev1 enable Outside

crypto ikev1 policy 1000

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 2000

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 3000

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

group-policy EMPLOYEES_L2TP_IPSEC internal

group-policy EMPLOYEES_L2TP_IPSEC attributes

dns-server value 192.168.0.100 192.168.0.101

vpn-tunnel-protocol l2tp-ipsec

default-domain value MyNet.ee

tunnel-group DefaultRAGroup general-attributes

address-pool (Inside) VPN-Pool

address-pool VPN-Pool

authentication-server-group UM-Radius

authentication-server-group (Inside) UM-Radius

authorization-server-group UM-Radius

accounting-server-group UM-Radius

default-group-policy EMPLOYEES_L2TP_IPSEC

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive disable

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

!

class-map inspection_default

match default-inspection-traffic

class-map tcp_bypass

description "TCP traffic bypass"

match any

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

policy-map global-policy

class class-default

  user-statistics accounting

policy-map tcp_bypass_policy

class tcp_bypass

  set connection advanced-options tcp-state-bypass

!

service-policy tcp_bypass_policy interface Inside

And it really seems somekind of a problem with service-policy. Seems like global policy is still enabled and dropping something.


VPN starts working ASAP i remove all service-policys. Unfortunatly, I can not do this because then our intranet stops working.


So it is like when I disable service-policy -  VPN works, intranet does not work.

When I enable service-policy(for tcp bypass) - Intranet works, VPN does not work

Could you please reply whay you have used these NATs

nat (Inside,Outside) source static MyNet MyNet destination static VPN-Network VPN-Network no-proxy-arp route-lookup

nat (Outside,Outside) source dynamic VPN-Network interface ---- > what is this NAT ??

nat (Inside,Outside) source dynamic MyNet interface

!

object network FTP

nat (Inside,Outside) static interface service tcp ftp ftp

nat (Outside,Outside) source dynamic VPN-Network interface

---- > what is this NAT ??

I am using this in order to access internet through VPN. I am not using split tunnel VPN.

Now I was able to get VPN connection up and even acces few pages on internet. Also I could connect with RDP to our server. So it's now packet fragmentation problem.

After i added these commands :

sysopt connection tcpmss 1300

sysopt connection permit-vpn

everything started to work (atleast for me), but other computers were unable to set up VPN connection. Only two computers which had established VPN tunnels successfully. One of them is Windows8 and other Windows7. Windows 8 have not had any trouble connecting to VPN.

After a little more debugging I see the problem why Windows 7 client cannot connect. Log shows : Duplicate Phase 2 packet detected. Retransmitting last packet.

Windows keeps doing this until connection times out.

Hi Madis,

Base on your explaination, you can access some hosts having windows 8 but not some others having windows 7  that are in the same LAN. This straight away point me to believe that  it has nothing to do with configuration nor VPN on both the ASA and  router. Because everything is setup between LAN to LAN subnets, so if  you can access just 1 ip address within that subnet, you should be able  to access everything else on that subnet.

The  security appliance has received a duplicate of a previous Phase 1 or  Phase 2 packet, and will transmit the last message. This message could  indicate a network performance or connectivity issue where the peer is  not receving sent packets in a timely manner.

#

Phase—Phase 1 or 2

#

Action—Retransmitting last packet, or No last packet to transmit.

#

Recommended Action    Verify network performance or connectivity.

You mention that you can't access the server. Can you enable the following:

management-access Inside

and check if you can ping the ASA Inside interface ip address after the above command is added.

If  you can, then it doesn't seem to be a configuration issue. You might  want to check if the server has any firewall enabled that might be  blocking inbound connection from  different subnets. See if you can  access anything else within the same subnet.

Lastly, please share the output of following commands from your ASA:

1. show crypto debug-condition

2. show crypto ipsec df-bit

3. show crypto ipsec fragmentation

4. show crypto ipsec sa

5. show crypto ipsec stats

6. show crypto isakmp stats

7. show crypto isakmp sa

8. show crypto isakmp stats

9. show crypto protocol statistics

Best regards,

Sachin Garg

Hi Sachin,

Here is a small misunderstanding. These Windows 7 and Windows 8 clients are tryin to set up VPN access from external network. Windows 8 can access without any problem. Other Windows 7 client is having issues. Meanwhile, same external network, same settings different machine can connect.

It's like 2 PCs can connect and all other 10 cannot connect.

After fiddling with cisco config retransmitting thing went away but client is still unable to connect.

1.  show crypto debug-condition

Crypto conditional debug is turned OFF

IKE debug context unmatched flag:  OFF

IPSec debug context unmatched flag:  OFF

IKE debug context error flag:  OFF

IPSec debug context error flag:  OFF

2.  show crypto ipsec df-bit Outside

df-bit Outside clear

show crypto ipsec fragmentation Outside

fragmentation Outside before-encryption

show crypto ipsec df-bit Outside
df-bit Outside clear


3. show crypto ipsec fragmentation Outside
fragmentation Outside before-encryption


4. show crypto ipsec sa
interface: Outside
    Crypto map tag: DYN_OUTSIDE, seq num: 10000, local addr: x.x.x.x

      local ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/17/1701)
      remote ident (addr/mask/prot/port): (176.46.1.224/255.255.255.255/17/1701)
      current_peer: 176.46.1.224, username: DefaultRAGroup
      dynamic allocated peer ip: 0.0.0.0
      dynamic allocated peer ip(ipv6): 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x/0, remote crypto endpt.: 176.46.1.224/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: clear-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 6B61B2F8
      current inbound spi : 7E7B99A4

    inbound esp sas:
      spi: 0x7E7B99A4 (2122029476)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Transport, IKEv1, }
         slot: 0, conn_id: 155648, crypto-map: DYN_OUTSIDE
         sa timing: remaining key lifetime (kB/sec): (237304/3372)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x6B61B2F8 (1801564920)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Transport, IKEv1, }
         slot: 0, conn_id: 155648, crypto-map: DYN_OUTSIDE
         sa timing: remaining key lifetime (kB/sec): (237304/3372)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

   
5. show crypto ipsec stats

IPsec Global Statistics
-----------------------
Active tunnels: 1
Previous tunnels: 39
Inbound
    Bytes: 15709111
    Decompressed bytes: 15709111
    Packets: 87278
    Dropped packets: 1
    Replay failures: 0
    Authentications: 87278
    Authentication failures: 0
    Decryptions: 87278
    Decryption failures: 0
    TFC Packets: 0
    Decapsulated fragments needing reassembly: 0
    Valid ICMP Errors rcvd: 0
    Invalid ICMP Errors rcvd: 0
Outbound
    Bytes: 84694753
    Uncompressed bytes: 84694753
    Packets: 136591
    Dropped packets: 2
    Authentications: 136589
    Authentication failures: 0
    Encryptions: 136589
    Encryption failures: 0
    TFC Packets: 0
    Fragmentation successes: 0
        Pre-fragmentation successses: 0
        Post-fragmentation successes: 0
    Fragmentation failures: 0
        Pre-fragmentation failures: 0
        Post-fragmentation failures: 0
    Fragments created: 0
    PMTUs sent: 0
    PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 1
System capacity failures: 0

6. show crypto isakmp stats

Global IKEv1 Statistics
  Active Tunnels:              1
  Previous Tunnels:           39
  In Octets:              133688
  In Packets:                537
  In Drop Packets:           171
  In Notifys:                 65
  In P2 Exchanges:            44
  In P2 Exchange Invalids:     0
  In P2 Exchange Rejects:      0
  In P2 Sa Delete Requests:   24
  Out Octets:              63020
  Out Packets:               386
  Out Drop Packets:            0
  Out Notifys:                73
  Out P2 Exchanges:            0
  Out P2 Exchange Invalids:    0
  Out P2 Exchange Rejects:     0
  Out P2 Sa Delete Requests:  19
  Initiator Tunnels:           0
  Initiator Fails:             0
  Responder Fails:            46
  System Capacity Fails:       0
  Auth Fails:                  9
  Decrypt Fails:               0
  Hash Valid Fails:            0
  No Sa Fails:                37

IKEV1 Call Admission Statistics
  Max In-Negotiation SAs:                 50
  In-Negotiation SAs:                      0
  In-Negotiation SAs Highwater:            2
  In-Negotiation SAs Rejected:             0

Global IKEv2 Statistics
  Active Tunnels:                          0
  Previous Tunnels:                        0
  In Octets:                               0
  In Packets:                              0
  In Drop Packets:                         0
  In Drop Fragments:                       0
  In Notifys:                              0
  In P2 Exchange:                          0
  In P2 Exchange Invalids:                 0
  In P2 Exchange Rejects:                  0
  In IPSEC Delete:                         0
  In IKE Delete:                           0
  Out Octets:                              0
  Out Packets:                             0
  Out Drop Packets:                        0
  Out Drop Fragments:                      0
  Out Notifys:                             0
  Out P2 Exchange:                         0
  Out P2 Exchange Invalids:                0
  Out P2 Exchange Rejects:                 0
  Out IPSEC Delete:                        0
  Out IKE Delete:                          0
  SAs Locally Initiated:                   0
  SAs Locally Initiated Failed:            0
  SAs Remotely Initiated:                  0
  SAs Remotely Initiated Failed:           0
  System Capacity Failures:                0
  Authentication Failures:                 0
  Decrypt Failures:                        0
  Hash Failures:                           0
  Invalid SPI:                             0
  In Configs:                              0
  Out Configs:                             0
  In Configs Rejects:                      0
  Out Configs Rejects:                     0
  Previous Tunnels:                        0
  Previous Tunnels Wraps:                  0
  In DPD Messages:                         0
  Out DPD Messages:                        0
  Out NAT Keepalives:                      0
  IKE Rekey Locally Initiated:             0
  IKE Rekey Remotely Initiated:            0
  CHILD Rekey Locally Initiated:           0
  CHILD Rekey Remotely Initiated:          0

IKEV2 Call Admission Statistics
  Max Active SAs:                   No Limit
  Max In-Negotiation SAs:                252
  Cookie Challenge Threshold:          Never
  Active SAs:                              0
  In-Negotiation SAs:                      0
  Incoming Requests:                       0
  Incoming Requests Accepted:              0
  Incoming Requests Rejected:              0
  Outgoing Requests:                       0
  Outgoing Requests Accepted:              0
  Outgoing Requests Rejected:              0
  Rejected Requests:                       0
  Rejected Over Max SA limit:              0
  Rejected Low Resources:                  0
  Rejected Reboot In Progress:             0
  Cookie Challenges:                       0
  Cookie Challenges Passed:                0
  Cookie Challenges Failed:                0

7. show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 176.46.1.224
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs


8. show crypto isakmp stats

Global IKEv1 Statistics
  Active Tunnels:              1
  Previous Tunnels:           39
  In Octets:              133688
  In Packets:                537
  In Drop Packets:           171
  In Notifys:                 65
  In P2 Exchanges:            44
  In P2 Exchange Invalids:     0
  In P2 Exchange Rejects:      0
  In P2 Sa Delete Requests:   24
  Out Octets:              63020
  Out Packets:               386
  Out Drop Packets:            0
  Out Notifys:                73
  Out P2 Exchanges:            0
  Out P2 Exchange Invalids:    0
  Out P2 Exchange Rejects:     0
  Out P2 Sa Delete Requests:  19
  Initiator Tunnels:           0
  Initiator Fails:             0
  Responder Fails:            46
  System Capacity Fails:       0
  Auth Fails:                  9
  Decrypt Fails:               0
  Hash Valid Fails:            0
  No Sa Fails:                37

IKEV1 Call Admission Statistics
  Max In-Negotiation SAs:                 50
  In-Negotiation SAs:                      0
  In-Negotiation SAs Highwater:            2
  In-Negotiation SAs Rejected:             0

Global IKEv2 Statistics
  Active Tunnels:                          0
  Previous Tunnels:                        0
  In Octets:                               0
  In Packets:                              0
  In Drop Packets:                         0
  In Drop Fragments:                       0
  In Notifys:                              0
  In P2 Exchange:                          0
  In P2 Exchange Invalids:                 0
  In P2 Exchange Rejects:                  0
  In IPSEC Delete:                         0
  In IKE Delete:                           0
  Out Octets:                              0
  Out Packets:                             0
  Out Drop Packets:                        0
  Out Drop Fragments:                      0
  Out Notifys:                             0
  Out P2 Exchange:                         0
  Out P2 Exchange Invalids:                0
  Out P2 Exchange Rejects:                 0
  Out IPSEC Delete:                        0
  Out IKE Delete:                          0
  SAs Locally Initiated:                   0
  SAs Locally Initiated Failed:            0
  SAs Remotely Initiated:                  0
  SAs Remotely Initiated Failed:           0
  System Capacity Failures:                0
  Authentication Failures:                 0
  Decrypt Failures:                        0
  Hash Failures:                           0
  Invalid SPI:                             0
  In Configs:                              0
  Out Configs:                             0
  In Configs Rejects:                      0
  Out Configs Rejects:                     0
  Previous Tunnels:                        0
  Previous Tunnels Wraps:                  0
  In DPD Messages:                         0
  Out DPD Messages:                        0
  Out NAT Keepalives:                      0
  IKE Rekey Locally Initiated:             0
  IKE Rekey Remotely Initiated:            0
  CHILD Rekey Locally Initiated:           0
  CHILD Rekey Remotely Initiated:          0

IKEV2 Call Admission Statistics
  Max Active SAs:                   No Limit
  Max In-Negotiation SAs:                252
  Cookie Challenge Threshold:          Never
  Active SAs:                              0
  In-Negotiation SAs:                      0
  Incoming Requests:                       0
  Incoming Requests Accepted:              0
  Incoming Requests Rejected:              0
  Outgoing Requests:                       0
  Outgoing Requests Accepted:              0
  Outgoing Requests Rejected:              0
  Rejected Requests:                       0
  Rejected Over Max SA limit:              0
  Rejected Low Resources:                  0
  Rejected Reboot In Progress:             0
  Cookie Challenges:                       0
  Cookie Challenges Passed:                0
  Cookie Challenges Failed:                0

9. show crypto protocol statistics all
[IKEv1 statistics]
   Encrypt packet requests: 149
   Encapsulate packet requests: 149
   Decrypt packet requests: 210
   Decapsulate packet requests: 210
   HMAC calculation requests: 932
   SA creation requests: 39
   SA rekey requests: 18
   SA deletion requests: 102
   Next phase key allocation requests: 88
   Random number generation requests: 0
   Failed requests: 0
[IKEv2 statistics]
   Encrypt packet requests: 0
   Encapsulate packet requests: 0
   Decrypt packet requests: 0
   Decapsulate packet requests: 0
   HMAC calculation requests: 0
   SA creation requests: 0
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 0
   Failed requests: 0
[IPsec statistics]
   Encrypt packet requests: 136589
   Encapsulate packet requests: 136589
   Decrypt packet requests: 87278
   Decapsulate packet requests: 87278
   HMAC calculation requests: 223867
   SA creation requests: 78
   SA rekey requests: 10
   SA deletion requests: 86
   Next phase key allocation requests: 0
   Random number generation requests: 0
   Failed requests: 0
[SSL statistics]
   Encrypt packet requests: 1580864
   Encapsulate packet requests: 1580864
   Decrypt packet requests: 286
   Decapsulate packet requests: 286
   HMAC calculation requests: 1581150
   SA creation requests: 246
   SA rekey requests: 0
   SA deletion requests: 244
   Next phase key allocation requests: 0
   Random number generation requests: 0
   Failed requests: 0
[SSH statistics are not supported]
[SRTP statistics]
   Encrypt packet requests: 0
   Encapsulate packet requests: 0
   Decrypt packet requests: 0
   Decapsulate packet requests: 0
   HMAC calculation requests: 0
   SA creation requests: 0
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 0
   Failed requests: 0
[Other statistics]
   Encrypt packet requests: 0
   Encapsulate packet requests: 0
   Decrypt packet requests: 0
   Decapsulate packet requests: 0
   HMAC calculation requests: 35115
   SA creation requests: 0
   SA rekey requests: 0
   SA deletion requests: 0
   Next phase key allocation requests: 0
   Random number generation requests: 345
   Failed requests: 9

Also I'd like to thank you for helping me and replying so quickly.

1.

The outbound spi matches the one that's not encrypting anything. The inbound spi matches the one that *is* decrypting.

I could see  that ASA - VPN Traffic is not being encrypted

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4

hence Issue seems to be that  traffic is sent out from the ASA unencrypted.

This can be caused by a duplicate (stale) ASP crypto table entry, this prevents the ASA encrypting any traffic destined for the remote host.

There are 2 commands which shows this behaviour. They are,

show ipsec stat | grep Missing SA failures

show asp table classify crypto

Possible solution could be to this issue, is to  Hard  Reboot the firewall.

Hence plan a reboot during off business hours to reduce any downtime.

Additional References

CSCsh48962 - Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI.

CSCso50996 - ASA dropping the packet instead of encrypting it.

2.

I could found in the following ouput

Missing SA failures: 1


5. show crypto ipsec stats

IPsec Global Statistics
-----------------------
Active tunnels: 1
Previous tunnels: 39
Inbound
    Bytes: 15709111
    Decompressed bytes: 15709111
    Packets: 87278
    Dropped packets: 1
    Replay failures: 0
    Authentications: 87278
    Authentication failures: 0
    Decryptions: 87278
    Decryption failures: 0
    TFC Packets: 0
    Decapsulated fragments needing reassembly: 0
    Valid ICMP Errors rcvd: 0
    Invalid ICMP Errors rcvd: 0
Outbound
    Bytes: 84694753
    Uncompressed bytes: 84694753
    Packets: 136591
    Dropped packets: 2
    Authentications: 136589
    Authentication failures: 0
    Encryptions: 136589
    Encryption failures: 0
    TFC Packets: 0
    Fragmentation successes: 0
        Pre-fragmentation successses: 0
        Post-fragmentation successes: 0
    Fragmentation failures: 0
        Pre-fragmentation failures: 0
        Post-fragmentation failures: 0
    Fragments created: 0
    PMTUs sent: 0
    PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 1
System capacity failures: 0

As per the output of 'show crypto ipsec stat' command I am  "missing SA failures"  countis 1 check if it  increments or not.

Also try a 'show asp drop" counter "Tunnel  being brought up or torn down" counts are incrementing.

If the counts  are incrementing, you have one of the bugs.

A workaround is to hard  power down the firewall and power it back up.

Hopefully it should work.

Best Regards

Sachin Garg

Hi,

By saying hard power down you mean just discconnecting power cable from firewall? Or just regular reload?

I'll give a try reboot and look at these references also.


Thank you very much for help at the moment

I installed Windows 8 on that Windows 7 test client and from there, it works. Also packets are being encrypted and decrypted, but those other Windows 7 devices are unable to connect.


I continiue further testing.


For the record I have not jet rebooted the Cisco ASA.

By Hard rebbot I mean Power OFF and ON on the box physically , of course similar to taking the power plug out and plug in back , but I think Power Button OFF and ON will be sufficient. NO need to pull the cable and so on. !!

Hi Sachin,

I tried hard reboot, but unfortunatly, this did not change anything. I will look into these two bugs and see if I found any help from there.


Best Regards,

Madis.

Hi,

1- Is TCP state bypass really required?

     1.1 - If so, why do you have "match any"?

2- Would you mind putting a packet-capture and settings the logs to debugging whilst testing the connection?

3- Also, run a packet-tracer from inside - outside and share the results.

HTH.

Message was edited by: Javier Portuguez Please disregard, the issue has been solved already. :)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: