02-14-2014 05:10 AM
Hi,
I have a pair of ASAs runing version 9.1 at the remote site and 8.4 (4) at the local site. When sending traffic over the tunnel from the local to remote, I can see in the IPSec SA the encap packet count increasing locally and the decap count increasing on the remote ASAs but no traffic is egressing the remote ASA's interfaces.
Here is the remote ASAs config:
GigabitEthernet0/0 outside x.x.x.123 255.255.255.192
GigabitEthernet0/1.701 dev_1 10.140.0.1 255.255.255.0
crypto map VPN-Z 10 match address acl_temp_vpn
crypto map VPN-Z 10 set pfs
crypto map VPN-Z 10 set peer x.x.x.67
crypto map VPN-Z 10 set ikev1 transform-set ESP-3DES-SHA
crypto map VPN-Z 10 set security-association lifetime seconds 28800
crypto map VPN-Z 10 set security-association lifetime kilobytes 4608000
crypto map VPN-Z 10 set nat-t-disable
crypto map VPN-Z interface outside
access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 object-group zx-subs (hitcnt=5) 0x3e8360b3
access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0x5cf3e6d1
access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0 (hitcnt=15) 0x73407a52
access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0xe1b9579c
access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.224 255.255.255.224 (hitcnt=0) 0x894cf410
access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.0 255.255.255.192 (hitcnt=0) 0xa879a3f1
tunnel-group x.x.x.67 type ipsec-l2l
tunnel-group x.x.x.67 ipsec-attributes
ikev1 pre-shared-key *****
nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subs
Here is the ipsec sa stats
Crypto map tag: VPN-Zanox, seq num: 10, local addr: x.x.x.123
access-list acl_temp_vpn extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0
local ident (addr/mask/prot/port): (10.140.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)
current_peer: x.x.x.67
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
With a dump on the dev_1 interface
capture dev type raw-data interface dev_1 [Capturing - 0 bytes]
match tcp any any
With packet tracer the egress interface is correct but in the capture there appears to be nothing traversing the interface.
Can any body see anything wrong wiht this config or any suggestions as to might be going wrong?
Thanks
James
02-14-2014 07:56 AM
James,
Place a "capture any_name type asp-drop all" and check the output.
Also, add an ACE to the external access-group and allow the VPN traffic. Then run a packet-tracer from outside-inside and check how far it goes. Once you are done, remove the ACE.
Feel free to share your results and analysis.
HTH.
02-14-2014 12:13 PM
Hi Javier,
Packet-tracer output with a temp ACL to permit ip any any inbound on the outside interface:
l-de-ham-asa-01/act(config)# packet-tracer input outside tcp 172.22.0.90 1234 10.140.0.10 22
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subs
Additional Information:
NAT divert to egress interface dev_1
Untranslate 10.140.0.10/22 to 10.140.0.10/22
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_outside in interface outside
access-list acl_outside extended permit ip any any
access-list acl_outside remark Zugriffsrichtlinie fuer ICMP Antworten aus dem Internet
Additional Information:
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subs
Additional Information:
Static translate 172.22.0.90/1234 to 172.22.0.90/1234
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dev_1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
This is the same result from another site that has an L2L VPN configured.
ASP drop capture to follow...
02-14-2014 12:38 PM
ASP drop output
l-de-ham-asa-01/act(config)# sho cap drop
36 packets captured
1: 20:55:52.277497 x.x.x.254 > x.x.x.253: ip-proto-105, length 48 Drop-reason: (interface-down) Interface is down
2: 20:55:53.277466 x.x.x.254 > x.x.x.253: ip-proto-105, length 48 Drop-reason: (interface-down) Interface is down
.....
17: 20:56:08.277481 x.x.x.254 > x.x.x.253: ip-proto-105, length 48
This is expected as the primary and standby ASA gi0/2 interface with these IP addresses is currently shutdown (the idea is this pair of ASAs is to replace an old PIX which has the x.x.x.254 IP on the inside interface).
Thanks
James
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide