Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1331
Views
0
Helpful
4
Replies

ASA IPSEC Site to Site VPN Connecting but no traffic flow

xlr8r2000
Level 1
Level 1

‎07-10-2020 08:09 PM

Hi, I have an IPSEC site to site VPN between to Cisco ASA 5505 firewalls. I have managed to get the VPN tunnel to establish, however, I seem to be unable to get any traffic to flow between the sites.

Network details are as follows:

 

Site A:

Network ID: 10.10.10.0 / 24

Firewall IP: 10.10.10.254 / 32

Lab WAN IP: 58.96.92.23 - Note that this IP is static

 

Site B:

Network ID: 10.10.11.0 / 24

Firewall IP: 10.10.10.254 / 32

Lab WAN IP: 60.242.142.249 - Note that this IP is dynamic but for the purposes of the LAB I am using this IP address

 

Also note that Site A has an AnyConnect client VPN configured as 10.1.1.0 / 24 in a split-tunnel.

For testing prior to deployment, I have both WAN interfaces connected to a router to simulate an Internet connection.

Testing already performed:

From the Site A router, I can ping 10.10.10.254, 58.96.92.23 and 60.242.142.249 but not 10.10.11.254.

From the Site B router, I can ping 10.10.11.254, 60.242.142.249 and 58.96.92.23 but not 10.10.10.254.

Also, I cannot ping any devices on the local subnets (10.10.10.0/24 and 10.10.11.0/24) through the tunnel.

 

The IPSEC tunnel establishes as shown below, however I cannot ping through it.

 

Site A Router:

sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:15, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
1094343113 58.96.92.23/500 60.242.142.249/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:24, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/6886 sec
Child sa: local selector 10.10.10.0/0 - 10.10.10.255/65535
remote selector 10.10.11.0/0 - 10.10.11.255/65535
ESP spi in/out: 0xfd41a364/0x20d724fd

 

sh crypto ipsec sa
interface: outside
Crypto map tag: DMAP-VPN, seq num: 10, local addr: 58.96.92.23

local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.11.0/255.255.255.0/0/0)
current_peer: 60.242.142.249


#pkts encaps: 3588, #pkts encrypt: 3588, #pkts digest: 3588
#pkts decaps: 1076, #pkts decrypt: 1076, #pkts verify: 1076
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3588, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 58.96.92.23/500, remote crypto endpt.: 60.242.142.249/500
path mtu 1487, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 20D724FD
current inbound spi : FD41A364

inbound esp sas:
spi: 0xFD41A364 (4248937316)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 65536, crypto-map: DMAP-VPN
sa timing: remaining key lifetime (kB/sec): (4054976/21823)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x20D724FD (550970621)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 65536, crypto-map: DMAP-VPN
sa timing: remaining key lifetime (kB/sec): (3916589/21823)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

 

 

Site B Router:

sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:16, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
1336116309 60.242.142.249/500 58.96.92.23/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:24, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/7632 sec
Child sa: local selector 10.10.11.0/0 - 10.10.11.255/65535
remote selector 10.10.10.0/0 - 10.10.10.255/65535
ESP spi in/out: 0x20d724fd/0xfd41a364

 

sh crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 60.242.142.249

access-list VPN-INTERESTING-TRAFFIC extended permit ip 10.10.11.0 255.255.255.0 10.10.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.10.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
current_peer: 58.96.92.23


#pkts encaps: 1076, #pkts encrypt: 1076, #pkts digest: 1076
#pkts decaps: 3860, #pkts decrypt: 3860, #pkts verify: 3860
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1076, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 60.242.142.249/500, remote crypto endpt.: 58.96.92.23/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: FD41A364
current inbound spi : 20D724FD

inbound esp sas:
spi: 0x20D724FD (550970621)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 77824, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4100893/21141)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xFD41A364 (4248937316)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 77824, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4147136/21141)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

 

 

I have attached both router configs.

Labels:
Configs.zip
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎07-11-2020 12:26 AM - edited ‎07-11-2020 12:35 AM

Hi,
Do you have a router connected to the inside interface of Site A and Site B ASA firewalls?
Can you confirm what is your physical setup please.

If you are testing from the ASA itself, traffic will not originate from the inside interface (which is the network you've defined in your crypto ACL for interesting traffic). You should test by pinging through the VPN tunnel, to/from a device connected behind each ASA.

 

HTH

0 Helpful

xlr8r2000
Level 1
Level 1
In response to Rob Ingram

‎07-12-2020 06:10 AM

Hi Rob,

 

Thank you so much for your advice thus far, I have since connected a Cisco 1841 router to the inside interface of Site B and set it's IP address to 10.10.11.100. I'm now using this device to ping 10.10.10.254 as I don't have any devices connected to the inside interface of the Site A router so it's protocol state is 'down'. This may be part if the problem, I'm not sure.

0 Helpful

Rob Ingram
VIP
VIP
In response to xlr8r2000

‎07-12-2020 07:27 AM

So you are pinging from the Site B router (behind the Site B ASA) over the VPN tunnel to Site A ASA's inside interface?
Configure the command "management-access inside" on Site A, this will allow you to manage (ping, ssh, asdm etc) the ASA over a VPN tunnel.

As already mentioned you'd normally test connectivity by communicating through the ASA.
0 Helpful

Marius Gunnerud
VIP
VIP

‎07-11-2020 02:16 PM

The first thing I suggest you do is configure the crypto access lists at Site B to be: access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-REMOTE-SITE-LAN object OBJ-MAIN-SITE-LAN

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents