L2L VPN issues with new network

James Dykes · ‎02-25-2014

I've added a new network for a customer's firewall and I'm trying to get that network across the existing VPN tunnel to their DR site. The new network is 10.133.133.0/24 and I'm trying to get it to connect to 10.1.14.0/24 on the other side of the tunnel.

I'm missing something, though, because when I do a packet-tracer to simulate traffic, it dies before getting encrypted. The output is below.

What am I missing to get this traffic to even attempt to go across the tunnel?

-----

4344-FWL001#packet-tracer input backup icmp 10.133.133.10 0 0 10.1.14.20

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 0.0.0.0 0.0.0.0 outside

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group backup_acl in interface backup

access-list backup_acl extended permit ip 10.133.133.0 255.255.255.0 10.1.14.0 255.255.255.0

Additional Information:

Phase: 3

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

match any

policy-map global_policy

class class-default

set connection decrement-ttl

service-policy global_policy global

Additional Information:

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type: NAT-EXEMPT

Subtype:

Result: ALLOW

Config:

match ip backup 10.133.133.0 255.255.255.0 outside 10.1.14.0 255.255.255.0

NAT exempt

translate_hits = 40, untranslate_hits = 0

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (backup) 1 0.0.0.0 0.0.0.0

match ip backup any outside any

dynamic translation to pool 1 (216.211.133.59 [Interface PAT])

translate_hits = 254, untranslate_hits = 18

Additional Information:

Phase: 8

Type: NAT

Subtype: host-limits

Result: ALLOW

Config:

nat (backup) 1 0.0.0.0 0.0.0.0

match ip backup any outside any

dynamic translation to pool 1 (216.211.133.59 [Interface PAT])

translate_hits = 254, untranslate_hits = 18

Additional Information:

Phase: 9

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Result:

input-interface: backup

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Javier Portuguez · ‎02-26-2014

James,

Just to make sure... Did you add the same ACE to the remote site's crypto ACL?

HTH.

James Dykes · ‎02-26-2014

I don't have access to the other device. They say they've added the ACLs, but I can't confirm.

I should still see a packet-tracer command at least try to encrypt the traffic, though, right? It's only simulating what a packet would do.

Javier Portuguez · ‎02-26-2014

You are correct.

What does the "debug crypto ipsec 127" tell you?

James Dykes · ‎02-28-2014

Here's what I'm getting from debug:

IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, Src=10.133.133.5:256, Dest=10.1.14.20:256

IPSEC(crypto_map_check)-3: Checking crypto map outside_map 1: matched.

IPSEC: New embryonic SA created @ 0xC9D5AC10,

SCB: 0xCA7F3CA0,

Direction: inbound

SPI : 0xC404C4D2

Session ID: 0x034F6000

VPIF num : 0x00000002

Tunnel type: l2l

Protocol : esp

Lifetime : 240 seconds