Solved: ASA 5512 (7.3) IPSec Multiple Subnet not working

Schulze633 · ‎03-29-2018

Hello all,

i have a big problem and hopefully you can gave me some information how i can solve the issue.

Little draw:

172.16.0.0/16 internal Network Site A
192.168.99.0/24 DMZ Site A

192.168.10.0/24 internal Network Site B

The IPSec tunnel between Site A and B is working

Internal Networks have communication

Now the DMZ should also get added to the Tunnel.

In pfSense i added a second Phase 2 entry for this Tunnel

In Asa i added the new Range to the Crypto Map.

But the second subnet is not reachable, also the phase 2 itself don´t come online...

When i deactivate the interal Subnet of Site A in pfsense the DMZ Subnet comes online and i can reach the DMZ from Site B.

I don´t know where the issue is. Can you help me please?

IKEv2 SAs:
Session-id:214, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id                 Local                Remote     Status         Role
1007753743             XXXXXXXXX/500     XXXXXXX/500      READY    RESPONDER
      Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/1802 sec
      Session-id: 214
      Status Description: Negotiation done
      Local spi: 5B69356A72DF74FA       Remote spi: 601999957CA5470D
      Local id: XXXXXXXXX
      Remote id: XXXXXXXX
      Local req mess id: 0              Remote req mess id: 2
      Local next mess id: 0             Remote next mess id: 2
      Local req queued: 0               Remote req queued: 2
      Local window: 1                   Remote window: 1
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected
Child sa: local selector  192.168.10.0/0 - 192.168.10.255/65535
          remote selector 172.16.0.0/0 - 172.16.255.255/65535
          ESP spi in/out: 0x3ba4250d/0xc36e33d3
          AH spi in/out: 0x0/0x0
          CPI in/out: 0x0/0x0
          Encr: AES-CBC, keysize: 256, esp_hmac: MD596
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

crypto map Outside_map 1 match address VPN_LPZ
crypto map Outside_map 1 set pfs group5
crypto map Outside_map 1 set connection-type answer-only
crypto map Outside_map 1 set peer XXXXXXXX
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES-256-SHA256
crypto map Outside_map 1 set ikev2 pre-shared-key
crypto map Outside_map 1 set security-association lifetime kilobytes unlimited

access-list VPN_LPZ extended permit ip 192.168.10.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list VPN_LPZ extended permit ip 192.168.10.0  255.255.255.0 192.168.99.0 255.255.255.0
access-list VPN_LPZ extended permit icmp 192.168.10.0  255.255.255.0 172.16.0.0 255.255.0.0
access-list VPN_LPZ extended permit icmp 192.168.10.0  255.255.255.0 192.168.99.0 255.255.255.0
access-list VPN_LPZ extended permit udp 192.168.10.0  255.255.255.0 172.16.0.0 255.255.0.0
access-list VPN_LPZ extended permit udp 192.168.10.0  255.255.255.0 192.168.99.0 255.255.255.0
access-list VPN_LPZ extended permit tcp 192.168.10.0  255.255.255.0 172.16.0.0 255.255.0.0
access-list VPN_LPZ extended permit tcp 192.168.10.0  255.255.255.0 192.168.99.0 255.255.255.0

Is there an Bug in the Firmware?

Is there something missing you need for additonal informations?

Many thanks in advance.

Bogdan Nita · ‎03-29-2018

From the description provided it seems the issue is on the pfsense.

Configuration on the asa should be ok, but you only need the ip entries in the crypto acl.

Is 7.3 the asa version ? If yes, that is really old.

In order to get more info you could enable debug crypto ipsec 255 on the asa and then generate traffic in order to try to bring up the new SA.

View solution in original post

Bogdan Nita · ‎03-29-2018

From the description provided it seems the issue is on the pfsense.

Configuration on the asa should be ok, but you only need the ip entries in the crypto acl.

Is 7.3 the asa version ? If yes, that is really old.

In order to get more info you could enable debug crypto ipsec 255 on the asa and then generate traffic in order to try to bring up the new SA.

Schulze633 · ‎03-29-2018

Thnaks for the quick analyses.

Yes the ASA is still working on 7.3. An update is need - for sure.

I tried to get SA online by using ICMP to the remote Gateway 192.168.99.1 nothing happend.

Here is the output from debug crypto ipsec 255

bufw-n001# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=192.168.10.211, sport=1792, daddr=192.168.99.1, dport=1792
IPSEC(crypto_map_check)-5: Checking crypto map Outside_map 1: skipping dormant map.
IPSEC(crypto_map_check)-5: Checking crypto map Outside_map 1: skipping dormant map.
IPSEC(crypto_map_check)-5: Checking crypto map Outside_map 2: skipping because 5-tuple does not match ACL Outside_cryptomap_TEST.
IPSEC(crypto_map_check)-5: Checking crypto map Outside_map 65535: skipping dynamic_link.
IPSEC(crypto_map_check)-1: Error: No crypto map matched.

This is a point i don´t understand.

IPSEC(crypto_map_check)-1: Error: No crypto map matched.

As you can see i added the range to the crypto map...

Schulze633 · ‎03-29-2018

I have a workaround by using IKEv1 and not IKEv2....

Thanks for help :-)

Bogdan Nita · ‎03-29-2018

Glad you got the problem solved.

Just to offer a explanation the asa was unable to find a match because the pfsense was sending:

saddr=192.168.10.211, daddr=192.168.99.1

, but based on the config the asa should receive something like:

saddr=192.168.10.0/24, daddr=192.168.99.0/24