Re: asa 5520 vpn hairpining

knuckleheadbob · ‎04-15-2021

struggling trying to get this working with site-to-site tunnels, local subnets to tunnel and tunnel to local subnets work as expected, however from tunnel a to tunnel b no traffic, packet tracer shows everything is good but no go. any ideas would sure help. here is a packet tracer result

asa# packet-tracer input outside tcp 10.10.10.50 80 10.10.11.50 80 detail

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,outside) source static netA_private netA_private destination static netB_private netB_private no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 10.10.11.50/80 to 10.10.11.50/80

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object netA_private object netB_private
Additional Information:
Forward Flow based lookup yields rule:
in id=0x764e5a68, priority=13, domain=permit, deny=false
hits=1, user_data=0x70fdaa40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.10.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.10.11.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,outside) source static netA_private netA_private destination static netB_private netB_private no-proxy-arp
Additional Information:
Static translate 10.10.10.50/80 to 10.10.10.50/80
Forward Flow based lookup yields rule:
in id=0x760d3cf0, priority=6, domain=nat, deny=false
hits=0, user_data=0x754b0b20, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.10.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.10.11.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x6ee83a60, priority=1, domain=nat-per-session, deny=true
hits=32496159, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x754d7308, priority=0, domain=inspect-ip-options, deny=true
hits=54558986, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x75605028, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=5652474, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,outside) source static netA_private netA_private destination static netB_private netB_private no-proxy-arp
Additional Information:
Forward Flow based lookup yields rule:
out id=0x76136ac8, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x760d3c38, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.10.10.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.10.11.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=outside

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x6ee83a60, priority=1, domain=nat-per-session, deny=true
hits=32496161, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x754d7308, priority=0, domain=inspect-ip-options, deny=true
hits=54558988, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 55407618, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Rob Ingram · ‎04-15-2021

@knuckleheadbob

Do you have same-security-traffic permit intra-interface configured on the ASA?

Check show crypto ipsec sa Does the encaps|decaps increase when you generate interesting traffic over the tunnel?

knuckleheadbob · ‎04-15-2021

yes on both

Rob Ingram · ‎04-15-2021

Well if you are generating traffic and encaps are increasing check the other firewall, confirm traffic is received. Run packet-tracer on the other firewall.

knuckleheadbob · ‎04-15-2021

these are active production tunnels so there is other traffic not just my test, as far as firewall on opposite end, i have multiple subnets routed further downstream on the inside edge of the asa and all are functional both directions with these tunnels its just tunnel to tunnel traffic that is failing.