L2L VPN Decrypted Traffic Not Exiting ASA

james.tucker · ‎02-14-2014

Hi,

I have a pair of ASAs runing version 9.1 at the remote site and 8.4 (4) at the local site. When sending traffic over the tunnel from the local to remote, I can see in the IPSec SA the encap packet count increasing locally and the decap count increasing on the remote ASAs but no traffic is egressing the remote ASA's interfaces.

Here is the remote ASAs config:


GigabitEthernet0/0       outside                x.x.x.123       255.255.255.192
GigabitEthernet0/1.701   dev_1                  10.140.0.1      255.255.255.0
crypto map VPN-Z 10 match address acl_temp_vpn
crypto map VPN-Z 10 set pfs 
crypto map VPN-Z 10 set peer x.x.x.67 
crypto map VPN-Z 10 set ikev1 transform-set ESP-3DES-SHA
crypto map VPN-Z 10 set security-association lifetime seconds 28800
crypto map VPN-Z 10 set security-association lifetime kilobytes 4608000
crypto map VPN-Z 10 set nat-t-disable
crypto map VPN-Z interface outside
access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 object-group zx-subs (hitcnt=5) 0x3e8360b3 
access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 10.0.0.0 255.0.0.0 (hitcnt=0) 0x5cf3e6d1 
access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0 (hitcnt=15) 0x73407a52 
access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0xe1b9579c 
access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.224 255.255.255.224 (hitcnt=0) 0x894cf410 
access-list acl_temp_vpn line 1 extended permit ip 10.140.0.0 255.255.0.0 x.x.x.0 255.255.255.192 (hitcnt=0) 0xa879a3f1
tunnel-group x.x.x.67 type ipsec-l2l
tunnel-group x.x.x.67 ipsec-attributes
 ikev1 pre-shared-key *****
nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subs

Here is the ipsec sa stats

Crypto map tag: VPN-Zanox, seq num: 10, local addr: x.x.x.123

access-list acl_temp_vpn extended permit ip 10.140.0.0 255.255.0.0 172.16.0.0 255.240.0.0

local ident (addr/mask/prot/port): (10.140.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (172.16.0.0/255.240.0.0/0/0)

current_peer: x.x.x.67

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2

With a dump on the dev_1 interface

capture dev type raw-data interface dev_1 [Capturing - 0 bytes]

match tcp any any

With packet tracer the egress interface is correct but in the capture there appears to be nothing traversing the interface.

Can any body see anything wrong wiht this config or any suggestions as to might be going wrong?

Thanks

James

Javier Portuguez · ‎02-14-2014

James,

Place a "capture any_name type asp-drop all" and check the output.

Also, add an ACE to the external access-group and allow the VPN traffic. Then run a packet-tracer from outside-inside and check how far it goes. Once you are done, remove the ACE.

Feel free to share your results and analysis.

HTH.

james.tucker · ‎02-14-2014

Hi Javier,

Packet-tracer output with a temp ACL to permit ip any any inbound on the outside interface:

l-de-ham-asa-01/act(config)# packet-tracer input outside tcp 172.22.0.90 1234 10.140.0.10 22
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subs
Additional Information:
NAT divert to egress interface dev_1
Untranslate 10.140.0.10/22 to 10.140.0.10/22
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_outside in interface outside
access-list acl_outside extended permit ip any any 
access-list acl_outside remark Zugriffsrichtlinie fuer ICMP Antworten aus dem Internet
Additional Information:
Phase: 4
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: 
Result: ALLOW
Config:
nat (dev_1,outside) source static dev_1-sub dev_1-sub destination static zx-subs zx-subs
Additional Information:
Static translate 172.22.0.90/1234 to 172.22.0.90/1234
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:       
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: dev_1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

This is the same result from another site that has an L2L VPN configured.

ASP drop capture to follow...

james.tucker · ‎02-14-2014

ASP drop output

l-de-ham-asa-01/act(config)# sho cap drop

36 packets captured

1: 20:55:52.277497 x.x.x.254 > x.x.x.253: ip-proto-105, length 48 Drop-reason: (interface-down) Interface is down

2: 20:55:53.277466 x.x.x.254 > x.x.x.253: ip-proto-105, length 48 Drop-reason: (interface-down) Interface is down

.....

17: 20:56:08.277481 x.x.x.254 > x.x.x.253: ip-proto-105, length 48

This is expected as the primary and standby ASA gi0/2 interface with these IP addresses is currently shutdown (the idea is this pair of ASAs is to replace an old PIX which has the x.x.x.254 IP on the inside interface).

Thanks

James