Solved: Re: IKEv2 IPSEC S2S VPN Only working one way

Odohvare1 · ‎08-05-2019

Our office has a few branches around town and currently, we have ASA 5515-X's at all locations. Between two of the locations now we have Ipsec/IKEv2 VPN tunnel that works flawlessly. I am attempting to establish another tunnel between the main branch and the newest branch. I can get the tunnel to work from one side only. Meaning from the third location, I can access my servers and all other resources at the main branch, but I cannot access(even ping) anything at the 3rd location from the main branch at all.

I used the Site to Site VPN wizard just like I did when I setup the first tunnel. Last time it came up and worked perfectly. Now, it is baffling me that I can ping, access file shares, and all of that from one side, but not the other. Anyone have any idea where to start looking?

Rob Ingram · ‎08-06-2019

Ok, the problem is your dynamic NAT rule (rule number 2) is above the nat exemption rule you have defined between APDO and POM (rule number 8). Therefore the traffic is being natted behind the outside interface.

2 (Inside) to (Outside) source dynamic any interface
translate_hits = 15695867, untranslate_hits = 2052342

|

8 (Inside) to (Outside) source static APDO APDO destination static POMS POMS no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0

Move the dynamic rule to Manual NAT Section 3 (after-auto)

HTH

View solution in original post

Rob Ingram · ‎08-05-2019

Hi,
Have you defined a nat exemption rule, to ensure traffic is not natted between the main site and the branch? If you already have, it could be traffic is hitting a dynamic nat rule and not the nat exemption rule.

Can you provide the output of "show nat"

HTH

Odohvare1 · ‎08-06-2019

The main office is the 10.0.0.0/16 network(APDO)

The second branch that works fine is the 192.168.200.0/24 network(APDWEST)

The third branch that does not work both ways is the 192.168.63.0/24 network(POMS)

Result of the command: "sho nat"

Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source static APDO APDO destination static APDWEST APDWEST no-proxy-arp route-lookup
translate_hits = 3706978, untranslate_hits = 4325356
2 (Inside) to (Outside) source dynamic any interface
translate_hits = 15695867, untranslate_hits = 2052342
3 (any) to (Outside) source static APDO APDO destination static APDWEST APDWEST no-proxy-arp route-lookup
translate_hits = 183, untranslate_hits = 0
4 (Inside) to (Outside) source static NETWORK_OBJ_10.0.0.0_16 NETWORK_OBJ_10.0.0.0_16 destination static APDWEST APDWEST no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
5 (PubInet) to (Outside) source dynamic any interface
translate_hits = 794947, untranslate_hits = 28807
6 (any) to (Outside) source static APDO APDO destination static POMS POMS no-proxy-arp route-lookup
translate_hits = 6500, untranslate_hits = 6500
7 (Inside) to (Outside) source static NETWORK_OBJ_10.0.0.0_16 NETWORK_OBJ_10.0.0.0_16 destination static POMS POMS no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
8 (Inside) to (Outside) source static APDO APDO destination static POMS POMS no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0

Rob Ingram · ‎08-06-2019

Ok, the problem is your dynamic NAT rule (rule number 2) is above the nat exemption rule you have defined between APDO and POM (rule number 8). Therefore the traffic is being natted behind the outside interface.

2 (Inside) to (Outside) source dynamic any interface
translate_hits = 15695867, untranslate_hits = 2052342

|

8 (Inside) to (Outside) source static APDO APDO destination static POMS POMS no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0

Move the dynamic rule to Manual NAT Section 3 (after-auto)

HTH

Odohvare1 · ‎08-07-2019

That worked like a champ. I knew it was something simple I was missing. Couldn't see the forest for the trees. lol

Thank you very much.

Dennis Mink · ‎08-05-2019

This, to me proves there is nothing wrong with phase 1 or phase 2. so you will need to double check:

-static route pointing to tunnel

-crypto map (interesting traffic)

-NAT exemption

also run the packet tool to simultate traffic

Please remember to rate useful posts, by clicking on the stars below.

Odohvare1 · ‎08-06-2019

This is the result of the packet tracer. It drops due to an access rule, but I look at those and there aren't any that can even be edited from ASDM. I also included a snapshot of the access rules list.