06-07-2010 12:38 PM
Hello,
I have a big issue for last two days to figure out site to site vpn between asa 5520 and router 2621. On my end there is a firewall and customer end there is a router. The phase-1 and phase-2 negotiation is succeed and also I have seen the packet is coming from the remote side. But from side I did not see packet is flowing. I check the host and it response icmp and there is no router or firewall in between where it can be re route or any other ACL. The interesting thing is if I do packet trace it didn't show any failure. I am sending the log report also some screen shots I did with packet tracer and other output commands (configuration on the firewall and on the router) with attachment.
thanks advance for the help.
/var/log/firewall # tail -f firewall.log | grep X.X.X.X
Jun 7 21:28:34 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=ef02801e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 7 21:28:34 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = X.X.X.X, processing hash payload
Jun 7 21:28:34 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = X.X.X.X, processing notify payload
Jun 7 21:28:34 172.25.215.1 %ASA-7-715075: Group = X.X.X.X, IP = X.X.X.X, Received keep-alive of type DPD R-U-THERE (seq number 0x55622a9e)
Jun 7 21:28:34 172.25.215.1 %ASA-7-715036: Group = X.X.X.X, IP = X.X.X.X, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x55622a9e)
Jun 7 21:28:34 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload
Jun 7 21:28:34 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload
Jun 7 21:28:34 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=3c17cf80) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 7 21:28:47 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=50c9b74e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 7 21:28:47 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = X.X.X.X, processing hash payload
Jun 7 21:28:47 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = X.X.X.X, processing notify payload
Jun 7 21:28:47 172.25.215.1 %ASA-7-715075: Group = X.X.X.X, IP = X.X.X.X, Received keep-alive of type DPD R-U-THERE (seq number 0x55622a9f)
Jun 7 21:28:47 172.25.215.1 %ASA-7-715036: Group = X.X.X.X, IP = X.X.X.X, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x55622a9f)
Jun 7 21:28:47 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload
Jun 7 21:28:47 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload
Jun 7 21:28:47 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=1caec174) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 7 21:29:00 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=45868afa) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jun 7 21:29:00 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = 85.18.56.130, processing hash payload
Jun 7 21:29:00 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = 85.18.56.130, processing notify payload
Jun 7 21:29:00 172.25.215.1 %ASA-7-715075: Group = X.X.X.X, IP = 85.18.56.130, Received keep-alive of type DPD R-U-THERE (seq number 0x55622aa0)
Jun 7 21:29:00 172.25.215.1 %ASA-7-715036: Group = X.X.X.X, IP = 85.18.56.130, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x55622aa0)
Jun 7 21:29:00 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = 85.18.56.130, constructing blank hash payload
Jun 7 21:29:00 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = 85.18.56.130, constructing qm hash payload
Jun 7 21:29:00 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=46b88111) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Solved! Go to Solution.
06-08-2010 09:04 AM
Looks like the problem is on the ASA. From your other post, I see that you are using WAN_2_cryptomap_2 as your interesting traffic ACL, but it does not exist on the ASA. The interesting traffic ACLs should be mirror images of each other.
The router is sending traffic to the ASA, but there is no return traffic from the ASA to the router. You might check to see if the devices on the 172.25.100.0/24 network have a route through the ASA back to the 10.50.90.0/24 network.
HTH
06-08-2010 09:04 AM
Looks like the problem is on the ASA. From your other post, I see that you are using WAN_2_cryptomap_2 as your interesting traffic ACL, but it does not exist on the ASA. The interesting traffic ACLs should be mirror images of each other.
The router is sending traffic to the ASA, but there is no return traffic from the ASA to the router. You might check to see if the devices on the 172.25.100.0/24 network have a route through the ASA back to the 10.50.90.0/24 network.
HTH
06-08-2010 01:05 PM
Hello Simansfield,
You will see the crypto map ACL is associated with wan crypto map. I found when I ping the packet is not encrypted on my firewall. there is no issue on the routing as far as I have seen. Because from the same local vlan there are other vpn and those works perfectly. I found in packet trace one thing from the nat exempt when I packet trace from my local lan to the remote lan where the vpn problem exist won't do IPSec tunnel flow where as for the other vpn which are working can do that.
I have one question whether the IOS 8.2(1) has some bug for vpn connection with different devices. Because last week we had a VPN which is now not working anymore. But that time the vpn needs to be initiated from my side. Otherwise the remote network cannot reach the local network. The remote network is added DNS IP to resolve the name and the VPN tunnel goes down. After they remote that line the VPN comes up but no traffic flows from my local network anymore.
06-08-2010 07:37 PM
On the firewall it looks like you have an inbound access list on the VLAN 100 interface. Since there is an implicit deny all at the end of this ACL, and I don't see any rules allowing traffic from 172.25.100.0/24 to 10.50.90.0/24, this statement could be blocking the VPN traffic.
I did find a bug in IOS version 12.2. I did not see any bugs specific to this problem on the ASA.
CSCdu34352
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide