Hello!
We use vpn-filter on central ASA 5520 (8.4(2)) to control traffic from remote sites.
At remote sites we have 5505 and IPsec L2L to each of them.
L2L crypto-acls look like this:
access-list vpn-site1 extended permit ip 10.0.0.0 255.0.0.0 172.16.1.0 255.255.255.0
access-list vpn-site2 extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0
...
When we implemented vpn-filter, all had been working fine for a week.
Then suddenly all remote sites lost its connectivity with central LAN segment, situated behind the inside 5520 interface.
At the same time on 5520:
- crypro ipsec sa peer shows that IPsec is established and encaps/decaps counters are increasing
- capture on inside interfaces shows traffic travelling from LAN to region and no traffic from region to LAN
- sysopt connection permit-vpn feature is enabled, so we do not need to permit traffic from VPN on outside interface
- clearing clear cry isa sa solve the problem for several minutes, but then connection to remote site is lost again
- monitoring the rules in filter acl shows us
%ASA-6-106102: access-list regions-acl permitted icmp for user '<unknown>' inside/10.1.1.2(8) -> outside/172.16.1.10(0) hit-cnt 54 300-second interval
%ASA-6-106102: access-list regions-acl permitted icmp for user '<unknown>' outside/172.16.1.10(0) -> inside/10.1.1.2(0) hit-cnt 1 first hit
Config on central site 5520:
object-group network regions
network-object 172.16.0.0 255.255.0.0
network-object 192.168.0.0 255.255.0.0
!
object-group network center
network-object 10.0.0.0 255.0.0.0
!
access-list regions-acl extended permit ip object-group regions object-group center
!
group-policy region-filter internal
group-policy region-filter attributes
vpn-filter value regions-acl
!
tunnel-group <peer_ip> general-attributes
default-group-policy region-filter
!
What can cause such kind of problem?
Is there any BUGs with 8.4(2) using VPN filters?
We have the same sheme on 5520 with 8.2(4) and no problems with it, all works fine!
