Solved: Site to Site VPN issue

rajesh.yadla · ‎07-26-2011

Hi All,

I am trying to setup the site to site vpn from Head office to branch office. Head

office has ASA1 and branch office has ASA2. ASA1 has configured with remote VPn and

Site to site vpn. Remote VPN works fine. ASA2 has configured with only Site 2 site

VPN. Both the ASA are 5505.

Phase 1 is successfully completed and it shows MM_Active in both ASAs. But I am not able ping from one site pc to other site. if you see the results at the bottom it shows the head office ASA1 is able to decrypt the packets but not able to encrypt.

branch office ASA2 is able encryp the packets but not able to decrypt.

When I tried for packet tracer the packet dropped saysing VPN lookup. I have attached it with the case.

Could some one help me on this.

ASA1

route x.x..1.0 255.255.255.0 [1/0] via Outside-Network, outside

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

crypto map DIV-MAP 10 ipsec-isakmp dynamic RVPN-MAP

crypto dynamic-map IPSEC-VPN 10 set transform-set esp-3des esp-sha-hmac

crypto dynamic-map IPSEC-VPN 10 set reverse-route

crypto map DIV-MAP 20 match address S2S

crypto map DIV-MAP 20 set peer 2.2.2.2

crypto map DIV-MAP 20 set transform-set esp-3des esp-sha-hmac

IKE Peer: 2.2.2.2

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

Crypto map tag: RVPN-MAP, seq num: 10, local addr: Outside-Network

local ident (addr/mask/prot/port): (x.x.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (x.x.1.0/255.255.255.0/0/0)

current_peer: 2.2.2.2

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 89, #pkts decrypt: 89, #pkts verify: 89

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: Outside-Network, remote crypto endpt.:2.2.2.2

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: AC93D2BC

inbound esp sas:

spi: 0xE2A3F913 (3802396947)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 263, crypto-map: RVPN-MAP

ASA2:

route x.x.100.0 255.255.255.0 [1/0] via Outside-Network, outside

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

crypto map DIV-MAP 10 ipsec-isakmp dynamic RVPN-MAP

crypto dynamic-map IPSEC-VPN 10 set transform-set esp-3des esp-sha-hmac

crypto dynamic-map IPSEC-VPN 10 set reverse-route

crypto map DIV-MAP 20 match address S2S

crypto map DIV-MAP 20 set peer 1.1.1.1

crypto map DIV-MAP 20 set transform-set esp-3des esp-sha-hmac

IKE Peer: 1.1.1.1

Type : L2L Role : Initiator

Rekey : no State : MM_ACTIVE Crypto map tag: S-MAP, seq num:

1, local addr: 99.76.209.61

local ident (addr/mask/prot/port): (x.x.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (x.x.100.0/255.255.255.0/0/0)

current_peer: 1.1.1.1

#pkts encaps: 89, #pkts encrypt: 89, #pkts digest: 89

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 89, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: E2A3F913

inbound esp sas:

spi: 0xAC93D2BC (2895368892)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 198, crypto-map: S-MAP

sa timing: remaining key lifetime (kB/sec): (4275000/26421)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xE2A3F913 (3802396947)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 198, crypto-map: S-MAP

sa timing: remaining key lifetime (kB/sec): (4274992/26421)

walsaid · ‎07-28-2011

Hi Rajesh,

I understand now what is going on, there is no issue with ASA or VPN, they are fine. Because the echo request get out of the firewall and the firewall didn't receive a reply.Is there any router behind the firewall or L3 switch? If yes you have to add static route on it for subnet 192.168.35.0/24 at site1 and 192.168.1.0/24 at site 2 the next-hop should be the inside interface of the firewall.

Regards,

Wajih

View solution in original post

walsaid · ‎07-27-2011

Hi Rajesh,

Your issue is with this command line in ASA1:

"crypto map DIV-MAP 10 ipsec-isakmp dynamic RVPN-MAP"

It seems that it is used for Remote VPN. It has sequence number "10" which is higher priority than L2L VPN, L2L VPN has sequence number "20". So the L2L connection is going through RVPN-MAP not through "DIV-MAP 20". This is clear in your outputs:

IKE Peer: 2.2.2.2

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

Crypto map tag: RVPN-MAP, seq num: 10, local addr: Outside-Network

local ident (addr/mask/prot/port): (x.x.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (x.x.1.0/255.255.255.0/0/0)

current_peer: 2.2.2.2

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 89, #pkts decrypt: 89, #pkts verify: 89

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: Outside-Network, remote crypto endpt.:2.2.2.2

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: AC93D2BC

inbound esp sas:

spi: 0xE2A3F913 (3802396947)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 263, crypto-map: RVPN-MAP

RVPN-MAP is a dynamic map, it can accept any requests, so it is recommended to give it the highest sequence number which is 65535. Your issue should be solved after applying the following commands:

no crypto map DIV-MAP 10 ipsec-isakmp dynamic RVPN-MAP

crypto map DIV-MAP 65535 ipsec-isakmp dynamic RVPN-MAP

clear crypto isa sa

clear crypto ipsec sa

Regards,

Wajih

rajesh.yadla · ‎07-27-2011

I have tried this. Now it encrypted to 18 packets then it is not getting increased. My issue is that I am not able to ping any hosts from one site to other sites. When I debug the icmp it only receives the request for ping both the sides but no reply.

ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=45574 len=32

ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=45830 len=32

ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=46086 len=32

ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=46342 len=32

ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=46598 len=32

The Head office network si 192.168.35.0 and branch office network is 192.168.1.0

Can you please help me how to fix it to make both the centers connect to each other.

walsaid · ‎07-27-2011

Hi Rajesh,

Could you please provide full configuration on both ASA?

Regards,

Wajih

rajesh.yadla · ‎07-27-2011

Hi,

I have attached the configuration with the ticket for both asa. Now I could see that the both the ASAs are allowing packets to outside. But i am not able to pint any of the internal devices.

walsaid · ‎07-27-2011

Hi Rajesh,

I had a look at your configuration and found access-group applied on outside interface named "OUT_ACL " but I cannot find the access-lists rules in the provided configuration.

Anyway, you can add the following command to allow for VPN traffic to pass through firewalls:

sysopt connection permit-vpn

This command allows packets from an IPsec tunnel and their payloads to bypass interface ACLs on the security appliance.

Regards,

Wajih

rajesh.yadla · ‎07-27-2011

Hi Wajih,

I thank you so much for your assistance. I have given the command but still I am not able to ping. Now packets are getting encrypted and decrypted but not able to ping the hosts.

when I try to ping it gives

ASA1

Result of the command: "ping inside 192.168.1.100"

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.35.110, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ASA2

Result of the command: "ping inside 192.168.35.110"

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.35.110, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

By the way the OUT_ACLs are as below

access-list OUT_ACL extended permit ip any host Outside-Network

access-list OUT_ACL extended permit tcp any host OutsideWebAddress eq www

access-list OUT_ACL extended permit tcp any host OutsideWebAddress eq https

access-list OUT_ACL extended permit tcp any host OutsideMailAddress eq https

please help me

walsaid · ‎07-27-2011

Hi Rajesh,

Kindly be advised that the ping from inside interface of ASA1 to inside interface of ASA2 is not allowed by default, please try to use hosts connected to inside interfaces, and let them ping each other.

If you insist to ping the inside interface, please use the following commands:

no management-access mgmt_if

management-access inside

This command allows management access to an interface other than the one from which you entered the security appliance when using IPSec VPN.

Regards,

Wajih

rajesh.yadla · ‎07-27-2011

Hi Wajih,

Thank you for quick reaply. I didnt know that. My main issue is i am not able to ping form one pc from one site to pc on the other.

I am getting request when I debug the ICMP on both the asas but they are not sending reply.

Regards,

Rajesh

walsaid · ‎07-27-2011

Hi Rajesh,

Please answer my following questions:

Are you able to ping the ASA inside interfaces from each host?

Please run the command "show route" and send me the outputs on each ASA?

Also please be advised that the following route commands are not configured in a proper way, the next-hop IP address should be the IP address of the device connected to outside interface of ASA, it is not recommended to configure the outside IP address as next-hop:

ASA1:

for example (ASA1(2.2.2.2)-------------(2.2.2.1)Router), the configuration should be:

route outside 0.0.0.0 0.0.0.0 2.2.2.1

route outside 192.168.1.0 255.255.255.0 2.2.2.1

The following configuration is wrong:

route outside 0.0.0.0 0.0.0.0 2.2.2.2

route outside 192.168.1.0 255.255.255.0 2.2.2.2

ASA2:

The same thing for ASA2, the following configuration is wrong:

route outside 0.0.0.0 0.0.0.0 1.1.1.1

route outside 192.168.35.0 255.255.255.0 1.1.1.1

Please fix them.

Regards,

Wajih

rajesh.yadla · ‎07-27-2011

Hi Wajih,

That was setup properly I have changed my config as per my client security reaquest.I am posting the route info.

I am able to ping my asa interface from any device in the inside network. Even I am able to ping all the devices if I connect with VPN also. so there is no connectivity issues to asa gateway as for as I know.

C xx.xx.101.88 255.255.255.248 is directly connected, outside

C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback

C 192.168.50.0 255.255.255.0 is directly connected, dmz

C 192.168.35.0 255.255.255.0 is directly connected, inside

S 192.168.1.0 255.255.255.0 [1/0] via xx.xx.101.89, outside

S* 0.0.0.0 0.0.0.0 [1/0] via xx.xx.101.89, outside

outside interface xx.xx.101.90

Regards,

Rajesh

rajesh.yadla · ‎07-27-2011

Hi all,

Could some one help me on this. It is an urgent issue.. I dont know why we are not able to connect with each internal machines.

ISee the debug ICMP messages :

ASA1 :

ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=10253 len=32

ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=10509 len=32

ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=10765 len=32

ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=11021 len=32

ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=11277 len=32

ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=11533 len=32

ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=11789 len=32

ASA2 :

ICMP echo request from outside:192.168.35.110 to inside:192.168.1.100 ID=512 seq=10253 len=32

ICMP echo request from outside:192.168.35.110 to inside:192.168.1.100 ID=512 seq=10509 len=32

ICMP echo request from outside:192.168.35.110 to inside:192.168.1.100 ID=512 seq=10765 len=32

Both the ASAs are getting the request but no reply. Please hekp me.

Regards,

Rajesh.Yadla

walsaid · ‎07-28-2011

Hi Rajesh,

Are you sure that the access list applied on inside interface is only the following ACL rule:

access-list IN_ACL extended permit ip any any

rajesh.yadla · ‎07-28-2011

Hi Wajih,

Yes, I have given this accesslist because of this connection issues. I have given is both the ASAs internal interface.

its strage I have re-configured the ASA too still the same issue.

Regards,

Rajesh

walsaid · ‎07-28-2011

Hi Rajesh,

We need to run some captures to let us understand what is going:

Step 1: Please run the following commands on both ASAs:

access-list capin extended permit icmp 192.168.35.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list capin extended permit icmp 192.168.1.0 255.255.255.0 192.168.35.0 255.255.255.0

capture capin access-list capin interface inside

Step 2: Run a ping request from host behind the firewall

Step3: run the following command on both ASA and provide me with the outputs:

show cap capin

Also please provide me with:

show crypto ipsec sa

Regards,

Wajih