It appears that my L2L VPN

c-carlyle · ‎02-23-2016

I have 2 new ASA 5505s 8.2(5) that I have an established VPN tunnel however there is no traffic passing over it. Cant figure out why...

ASA 1

show isa sa

ASA1# show isakmp sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 1.1.1.1
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
CandysScottASA#

show ipsec sa

interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 2.2.2.2

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (MurfreesboroLAN/255.255.255.0/0/0)
current_peer: 1.1.1.1

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4531, #pkts decrypt: 4531, #pkts verify: 4531
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7BED8968
current inbound spi : 7F92FF17

inbound esp sas:
spi: 0x7F92FF17 (2140339991)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 126976, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373531/13816)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x7BED8968 (2079164776)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 126976, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/13816)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ASA 2

show isa sa

ASA2# show isa sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 2.2.2.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE

show ipsec sa

interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1

access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (ScottsvilleLAN/255.255.255.0/0/0)
current_peer: 2.2.2.2

#pkts encaps: 4552, #pkts encrypt: 4552, #pkts digest: 4552
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4552, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 7F92FF17
current inbound spi : 7BED8968

inbound esp sas:
spi: 0x7BED8968 (2079164776)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 126976, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/13749)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x7F92FF17 (2140339991)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 126976, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914529/13749)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ASA1 shows decaps with no encaps, ASA2 shows encaps with no decaps.

sysopt connection permit-vpn has been issued on both units.

Any ideas on why this is happening?

Rohan Padwal · ‎02-25-2016

Check routing and nat config on the ASA1

encap 0 means this ASA is having issue in encrypting the packets (so either nat exempt is not present on the ASA or routing is incorrect)

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4531, #pkts decrypt: 4531, #pkts verify: 4531

nat (inside) 0 access-list nat_exemption
access-list nat_exemption extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0

please share the config for analysis.....

#Rohan

c-carlyle · ‎02-29-2016

Configs attached

Aditya Ganjoo · ‎02-29-2016

Hi,

Here is a quick test to check whether the ASA2 device (IP-2.2.2.2) is able to encrypt the packet or not.

On the ASA2 make the inside interface as "management-access inside".

Now from any device behind ASA1 try pinging the ASA2 inside IP (192.168.2.1).

If you get the replies then good.

If you do not then turn on debug icmp trace on ASA2 and see if the pings reach the ASA.

Do you see any request/reply in the debug ?

Also on ASA1 I see this in the configuration:

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 96.82.236.65

May I know the reason for using this IP, not sure if i am missing something ?

Regards,

Aditya

Rohan Padwal · ‎03-01-2016

Hello

i suppose this is a test setup

how are you initiating the traffic from the local lan at 192.168.1.0/24 network do you have a test pc which is initiating the traffic to the remote local network ????

from the config all looks good to me only prob is that its not encryption the packets

please ping using the management interface as Aditya suggested

Eg:

interface Vlan1
management-access inside

ping inside 192.168.2.1 repeat 100

use below acl to test the nonat

access-list nonat permit 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
nat (inside) 0 access-list nonat

c-carlyle · ‎03-16-2016

I tried my ping from the management interface, still no love. I found some info on Cisco website about some buggy behavior on 8.2(5), I have upgraded both units to 8.4(7), same story. I am going on site to try to generate some traffic from devices on the inside network(s) to see what happens. Not sure why this is being so problematic. I have set these up many times in the past via the L2L VPN wizard in ASDM and it always just works, up until now.

c-carlyle · ‎03-17-2016

It appears that my L2L VPN config was good all along, I just didnt know it. I went on site yesterday, both locations are quite a drive and tested traffic on actual hosts on each inside network. The tunnel passed traffic as expected. I just got faked into thinking that it wasnt working as I could not get ASA inside to ASA inside traffic to go across the tunnel despite the management-access inside being applied to both ASAs.

c-carlyle · ‎03-01-2016

Sorry Aditya that was a sanitization error, the peer line should be represented by 2.2.2.2

Aditya Ganjoo · ‎03-01-2016

Hi,

Thanks for the info.

Please check the action plan and test.

Regards,

Aditya

Please rate helpful posts.

Diego Lopez · ‎02-29-2016

Hello,

On ASA1 you can set a

capture capin interface inside 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

send traffic then do a show capture capin

make sure that you see packets back and forward

also run a packet tracer:

packet tracer input inside icmp 192.168.1.5 8 0 192.168.2.5 de

check the VPN phase if is allow then the VPN tunnel is fine

please make sure you ping an internal host dont ping the interface itself if you do so please enable management access to the interfaces with the command:

management-access inside

So that the interface can replay to the pings

If this still dont resolve the issue you will probably need to reload ASA1 there could be a duplicate spi stuck that is not letting the traffic be encrypted

Regards, please rate!

ASA 5505 L2 VPN Wont Pass Traffic