cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
768
Views
0
Helpful
6
Replies

ASA 5520-5505 L2L VPN cannot work

mengxi zhang
Level 1
Level 1

ASA 5520(8.441)-----ASA 5505(8.441)
1.1.1.1       -----  2.2.2.2
192.168.0.0/17------192.168.200.0/24

ASA 5505:
object network inside
subnet 192.168.200.0 255.255.255.0
 

object network remote
subnet 192.168.0.0 255.255.128.0

access-list l2lvpn extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.128.0 

nat (inside,outside) source static inside inside destination static remote remote no-proxy-arp route-lookup


crypto ipsec ikev1 transform-set 1 esp-des esp-md5-hmac 
crypto map vpnmap 10 match address l2lvpn
crypto map vpnmap 10 set pfs 
crypto map vpnmap 10 set peer 1.1.1.1 
crypto map vpnmap 10 set ikev1 transform-set 1
crypto map vpnmap interface outside
crypto isakmp identity address 
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5     
group 2
lifetime 86400

group-policy l2lvpn internal
group-policy l2lvpn attributes
vpn-tunnel-protocol ikev1 

tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy l2lvpn
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****

ASA 5520(172.16.30.0 is used for client VPN, it can work well)

object network inside
subnet 192.168.0.0 255.255.128.0

object network remote-network
subnet 192.168.200.0 255.255.200.0

object network NETWORK_OBJ_172.16.30.0_24
subnet 172.16.30.0 255.255.255.0

access-list l2lvpn extended permit ip 192.168.0.0 255.255.128.0 192.168.200.0 255.255.255.0 

nat (inside,outside) source static inside inside destination static remote-network remote-network no-proxy-arp route-lookup

nat (inside,outside) source static inside inside destination static NETWORK_OBJ_172.16.30.0_24 NETWORK_OBJ_172.16.30.0_24 no-proxy-arp route-lookup


crypto ipsec ikev1 transform-set 2 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set client esp-aes esp-md5-hmac ---(client)
crypto dynamic-map dyn1 10 set ikev1 transform-set client---(client)
crypto dynamic-map dyn1 10 set reverse-route---(client)
crypto map vpnmap 10 match address l2lvpn
crypto map vpnmap 10 set pfs 
crypto map vpnmap 10 set peer 2.2.2.2 
crypto map vpnmap 10 set ikev1 transform-set 2
crypto map vpnmap 60001 ipsec-isakmp dynamic dyn1
crypto map vpnmap interface outside
crypto isakmp identity address 
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400

group-policy 2 internal
group-policy 2 attributes
vpn-tunnel-protocol ikev1 

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy 2
tunnel-group 2.2.2.2. ipsec-attributes
ikev1 pre-shared-key ****

 

ASA 5505:
ASA5505# sh isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 1.1.1.1
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE 


ASA5505#sh ipsec stats 

IPsec Global Statistics
-----------------------
Active tunnels: 1
Previous tunnels: 1
Inbound
    Bytes: 0
    Decompressed bytes: 0
    Packets: 0
    Dropped packets: 0
    Replay failures: 0
    Authentications: 0
    Authentication failures: 0
    Decryptions: 0
    Decryption failures: 0
    Decapsulated fragments needing reassembly: 0
Outbound
    Bytes: 31290
    Uncompressed bytes: 31290
    Packets: 298
    Dropped packets: 0
    Authentications: 298
    Authentication failures: 0
    Encryptions: 298
    Encryption failures: 0
    Fragmentation successes: 0
        Pre-fragmentation successses: 0
        Post-fragmentation successes: 0
    Fragmentation failures: 0
        Pre-fragmentation failures: 0
        Post-fragmentation failures: 0
    Fragments created: 0
    PMTUs sent: 0
    PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0


ASA 5505#sh ipsec sa    
interface: outside
    Crypto map tag: vpnmap, seq num: 10, local addr: 2.2.2.2

      access-list l2lvpn extended permit ip 192.168.200.0 255.255.255.0 192.168.0.0 255.255.128.0 
      local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.0.0/255.255.128.0/0/0)
      current_peer: 1.1.1.1

      #pkts encaps: 305, #pkts encrypt: 305, #pkts digest: 305
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 305, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.:2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 2292754D
      current inbound spi : F51E25E9

    inbound esp sas:
      spi: 0xF51E25E9 (4112393705)
         transform: esp-des esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 12288, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (3915000/22718)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x2292754D (580023629)
         transform: esp-des esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 12288, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (3914968/22718)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001


ASA 5520 
ASA5520# sh isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 2.2.2.2
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : MM_ACTIVE 


ASA5520# sh ipsec sa
interface: outside
    Crypto map tag: vpnmap, seq num: 10, local addr: 1.1.1.1

      access-list l2lvpn extended permit ip 192.168.0.0 255.255.128.0 192.168.200.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.0.0/255.255.128.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
      current_peer: 2.2.2.2

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 306, #pkts decrypt: 306, #pkts verify: 306
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: F51E25E9
      current inbound spi : 2292754D

    inbound esp sas:
      spi: 0x2292754D (580023629)
         transform: esp-des esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 36864, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (4373968/22478)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xF51E25E9 (4112393705)
         transform: esp-des esp-md5-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 36864, crypto-map: vpnmap
         sa timing: remaining key lifetime (kB/sec): (4374000/22478)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001
 

A ping cannot work between private IP network by L2LVPN . It seems no data inbound at ASA 5505.

I'm confused .What's happened? Could you help me ? Thanks in advance .

1 Accepted Solution

Accepted Solutions

Hi,

Thanks for the information!

 

I noticed that you are pinging from the ASA itself to the remote site of the tunnel. In order to make that packet to go through the VPN connection you will need to source the ping from the inside interface, otherwise the packet will be sourced from the closest interface to the destination, in this case the outside interface, however, the outside ip address/subnet is not included on the VPN traffic. Please enable management access on the inside interface and then try the ping again sourced from the inside. Below the outputs needed:

 

ASA(config)#management-access inside

ASA(config)#ping inside (remote host)

 

NoteIf your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.

 

Remember to check the routing for the packets coming back.

 

I hope this helps, 

 

Luis. 

View solution in original post

6 Replies 6

LA-Engineer
Level 1
Level 1

I'm assuming you're pinging from a host on the 5505 side to a host on the 5520 side and vice-versa. Is the ping from the 5520 side hitting the 5520?  I would check that first. 

ASA5520# ping 192.168.0.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.12, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA5520# ping 192.168.200.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.21, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

ASA5505# ping 192.168.200.21
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.200.21, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/50/230 ms

ASA5505# ping 192.168.0.12  
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.12, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Hi,

Thanks for the information!

 

I noticed that you are pinging from the ASA itself to the remote site of the tunnel. In order to make that packet to go through the VPN connection you will need to source the ping from the inside interface, otherwise the packet will be sourced from the closest interface to the destination, in this case the outside interface, however, the outside ip address/subnet is not included on the VPN traffic. Please enable management access on the inside interface and then try the ping again sourced from the inside. Below the outputs needed:

 

ASA(config)#management-access inside

ASA(config)#ping inside (remote host)

 

NoteIf your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.

 

Remember to check the routing for the packets coming back.

 

I hope this helps, 

 

Luis. 

Luis,

yeah,you are right ,

I found my mistake ,that is makeing  a ping from ASA itself. From a host to the other host is ok!

Now after add 'management-access inside' , I can do it on ASA.

Thanks a lot!

 

laramire2
Level 1
Level 1

Hi,

 

As we could see on the outputs phase 1 and 2 are coming up using the correct crypto maps, which means that the VPN tunnel is properly configured. We can see the ASA 5505 encrypting the packets and the 5520 decrypting the packets, however, on the 5520 the packets are not being encrypted back through the VPN connection. This could be related to a NAT identity rule, a routing issue on the core behind the ASA 5520, or a route on the 5520. Please make sure that there is not any route on the 5520 covering the 192.168.200.0/24 network sending the packets through a different interface than the outside interface. You could configure a static route for the 192.168.200.0/24 network to make sure that it will take the VPN connection. For instance:

 

route outside 192.168.200.0 255.255.255.0 (next hop on the outside)

 

I checked the NAT rule on the 5520 and I could see that you specified an object group named remote-network. Based on the configuration attached the object group name is remote. I do not know if it was a typo but please correct it to make sure that’s not causing the problem.

Current configuration on ASA 5520:

object network inside
subnet 192.168.0.0 255.255.128.0

object network remote
subnet 192.168.200.0 255.255.200.0


nat (inside,outside) source static inside inside destination static remote-network remote-network no-proxy-arp route-lookup

 

Please correct as the one below if that’s needed:

 

nat (inside,outside) source static inside inside destination static remote remote no-proxy-arp route-lookup

 

As I mentioned previously we also need to make sure that we have the proper routes configured for the remote network (192.168.200.0/24) behind the ASA 5520. Remember that the packets need to get back to the ASA in order to send them back through the VPN connection.

 

I hope this helps,

 

Luis.

1,About object name is a typo . I fixed it.

2,I add a route on ASA 5520,such as 'route outside 192.168.200.0 255.255.255.0 2.2.2.2' . It still does not work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: