11-19-2014 01:45 AM
Hi Guy's.
I have two ASA 5510's that have been running a site to site for some time. Yesterday around 11:00am this suddenly stopped work. The tunnel is up and operational but i'm unable to ping any devices on with end.
1: Phase 1 IKE negotiation is up on both ASA’s and completing – Tunnel Established
2: Phase 2 seems to be running into some problems. When looking into each appliance we see that both ends are encrypting packets but not decrypting.
From digging around online it could be that our ISP is blocking / filtering IP ESP 50 which seems to be a common occurrence. This is critical for traffic pass through for IPSEC. I’ve performed an nmap on those ports which suggest they’re open but I’ve asked our DCto check that there isn’t any filtering going on.
NMAP:
nmap -sO -v -P0 -p 50-51 x.x.x.x ( Remote appliance at DC )
Starting Nmap 5.51 ( http://nmap.org ) at 2014-11-19 09:27 GMT
Initiating Parallel DNS resolution of 1 host. at 09:27
Completed Parallel DNS resolution of 1 host. at 09:27, 0.00s elapsed
Initiating IPProto Scan at 09:27
Scanning x.x.x.x [2 ports]
Completed IPProto Scan at 09:27, 3.02s elapsed (2 total ports)
Nmap scan report for x.x.x.x
Host is up.
PROTOCOL STATE SERVICE
50 open|filtered esp
51 open|filtered ah
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 3.04 seconds
Raw packets sent: 4 (80B) | Rcvd: 0 (0B)
Show ipsec sa peer – run on Office Appliance
Crypto map tag: External_map, seq num: 2, local addr: x.x.x.x
access-list External_2_cryptomap extended permit ip 172.16.102.0 255.255.255.0 10.193.0.0 255.255.254.0
local ident (addr/mask/prot/port): (172.16.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Management/255.255.254.0/0/0)
current_peer: x.x.x.x
#pkts encaps: 422, #pkts encrypt: 422, #pkts digest: 422
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 422, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
Show ipsec sa peer – Run on Remote DC Appliance
Crypto map tag: outside_map, seq num: 1, local addr: x.x.x.x
access-list outside_1_cryptomap permit ip VMNetwork 255.255.0.0 InternalServersVlan102-network 255.255.255.0
local ident (addr/mask/prot/port): (VMNetwork/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (InternalServersVlan102-network/255.255.255.0/0/0)
current_peer: x.x.x.x
#pkts encaps: 101, #pkts encrypt: 101, #pkts digest: 101
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 101, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
Should i be talking to my ISP about block / filtering ESP 50? It's seems really odd that this all of a sudden stop working and we have made no changes to any of our configs on either end. Also, i have reloaded both appliances and tried many reconnects of the tunnel.
11-19-2014 02:46 AM
Confirm with packet capture that
1) you're indeed sending out those packets to ISP
2) You are not receiving those ISP on your external interfaces
As a side note: Phase 2 negotiation NEEDS to be completed to send encrypted traffic. If phase 2 would not complete you'd be seeing send errors on egress in IPsec SA counters.
11-19-2014 02:48 AM
Thanks Marcin.
What's the best way to setup the packet capture on my ASA to verify this?
Cheers.
11-19-2014 02:51 AM
Follow this:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110117-asa-capture-asdm-config.html#cliconfig
Just setup acl matching protocol 50 IP addresses of the two ASAs.
current_peer: 2x5.2x7.x3.4 <--- you wrote that not me :]
11-19-2014 02:56 AM
Thanks Marcin, i'll do that now.
Is it possible that although nmap is showing protocol 50 being open that my ISP could be 'filtering' this somehow?
11-19-2014 03:07 AM
Marcin, i'm running asdm v 5.x.... Is there a packet capture in this version that i can use as it's not in the wizard drop down?
11-19-2014 08:22 AM
Still no luck with this although when looking at the debugging logs it appears to show connections from my office land IP's to the remote LAN IPs'
Office 172.16.0.0 - Remote 10.192.0.0
WHat i can see filling the logs is the following:
UDP request discarded from OfficeIP/39548 to outside:RemoteIP/33479
7 |
11-19-2014 04:24 AM
best guide
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html?referring_site=RE&pos=1&page=http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide