07-10-2020 08:09 PM
Hi, I have an IPSEC site to site VPN between to Cisco ASA 5505 firewalls. I have managed to get the VPN tunnel to establish, however, I seem to be unable to get any traffic to flow between the sites.
Network details are as follows:
Site A:
Network ID: 10.10.10.0 / 24
Firewall IP: 10.10.10.254 / 32
Lab WAN IP: 58.96.92.23 - Note that this IP is static
Site B:
Network ID: 10.10.11.0 / 24
Firewall IP: 10.10.10.254 / 32
Lab WAN IP: 60.242.142.249 - Note that this IP is dynamic but for the purposes of the LAB I am using this IP address
Also note that Site A has an AnyConnect client VPN configured as 10.1.1.0 / 24 in a split-tunnel.
For testing prior to deployment, I have both WAN interfaces connected to a router to simulate an Internet connection.
Testing already performed:
From the Site A router, I can ping 10.10.10.254, 58.96.92.23 and 60.242.142.249 but not 10.10.11.254.
From the Site B router, I can ping 10.10.11.254, 60.242.142.249 and 58.96.92.23 but not 10.10.10.254.
Also, I cannot ping any devices on the local subnets (10.10.10.0/24 and 10.10.11.0/24) through the tunnel.
The IPSEC tunnel establishes as shown below, however I cannot ping through it.
Site A Router:
sh crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:15, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
1094343113 58.96.92.23/500 60.242.142.249/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:24, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/6886 sec
Child sa: local selector 10.10.10.0/0 - 10.10.10.255/65535
remote selector 10.10.11.0/0 - 10.10.11.255/65535
ESP spi in/out: 0xfd41a364/0x20d724fd
sh crypto ipsec sa
interface: outside
Crypto map tag: DMAP-VPN, seq num: 10, local addr: 58.96.92.23
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.11.0/255.255.255.0/0/0)
current_peer: 60.242.142.249
#pkts encaps: 3588, #pkts encrypt: 3588, #pkts digest: 3588
#pkts decaps: 1076, #pkts decrypt: 1076, #pkts verify: 1076
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3588, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 58.96.92.23/500, remote crypto endpt.: 60.242.142.249/500
path mtu 1487, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 20D724FD
current inbound spi : FD41A364
inbound esp sas:
spi: 0xFD41A364 (4248937316)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 65536, crypto-map: DMAP-VPN
sa timing: remaining key lifetime (kB/sec): (4054976/21823)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x20D724FD (550970621)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 65536, crypto-map: DMAP-VPN
sa timing: remaining key lifetime (kB/sec): (3916589/21823)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Site B Router:
sh crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:16, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
1336116309 60.242.142.249/500 58.96.92.23/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:24, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/7632 sec
Child sa: local selector 10.10.11.0/0 - 10.10.11.255/65535
remote selector 10.10.10.0/0 - 10.10.10.255/65535
ESP spi in/out: 0x20d724fd/0xfd41a364
sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 60.242.142.249
access-list VPN-INTERESTING-TRAFFIC extended permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 58.96.92.23
#pkts encaps: 1076, #pkts encrypt: 1076, #pkts digest: 1076
#pkts decaps: 3860, #pkts decrypt: 3860, #pkts verify: 3860
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1076, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 60.242.142.249/500, remote crypto endpt.: 58.96.92.23/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: FD41A364
current inbound spi : 20D724FD
inbound esp sas:
spi: 0x20D724FD (550970621)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 77824, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4100893/21141)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xFD41A364 (4248937316)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 77824, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4147136/21141)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
I have attached both router configs.
07-11-2020 12:26 AM - edited 07-11-2020 12:35 AM
Hi,
Do you have a router connected to the inside interface of Site A and Site B ASA firewalls?
Can you confirm what is your physical setup please.
If you are testing from the ASA itself, traffic will not originate from the inside interface (which is the network you've defined in your crypto ACL for interesting traffic). You should test by pinging through the VPN tunnel, to/from a device connected behind each ASA.
HTH
07-12-2020 06:10 AM
Hi Rob,
Thank you so much for your advice thus far, I have since connected a Cisco 1841 router to the inside interface of Site B and set it's IP address to 10.10.11.100. I'm now using this device to ping 10.10.10.254 as I don't have any devices connected to the inside interface of the Site A router so it's protocol state is 'down'. This may be part if the problem, I'm not sure.
07-12-2020 07:27 AM
07-11-2020 02:16 PM
The first thing I suggest you do is configure the crypto access lists at Site B to be: access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-REMOTE-SITE-LAN object OBJ-MAIN-SITE-LAN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide