ASA NEM local ident problems

Daniel Leonard · ‎03-31-2013

Hello,

I've some strange problems with multiple ASA (NEM) VPN remote clients (v8.4.5). On the HQ I've an ASA5510 (v8.4.5) with multiple NEM's connected to it. The group policy used on the HQ is configured for split tunneling. Now here's the problem;

The remote ASA (NEM) constructs easily a VPN connection to the main location; it seems that everything works well. Traffic through most of the tunneled networks works perfectly. Traffic to certain subnets or hosts brings me into trouble, there is no traffic flowing through the tunnel at all!

When using the command "show crypto ipsec sa | i caps|ident|spi” I can see all of the tunneled subnets. The subnets that works perfecly gives me the correct "local and remote ident" output. The subnets with problems gives me wrong values in the "remote ident". The remote ident should be the IP address of the inside LAN (of the remote NEM) and not the IP address of the ouside interface (of the remote NEM). How is this posible?

I hope someone can help me with this problem.

Here's is the crypto ipsec sa output:

Result of the command: "show crypto ipsec sa | i caps|ident|spi"

local ident (addr/mask/prot/port): (10.200.60.0/255.255.255.0/0/0) <-- this is the good subnet of the inside interface (NEM)

remote ident (addr/mask/prot/port): (10.100.2.2/255.255.255.255/0/0) <-- this is the good subnet (HQ)

#pkts encaps: 54712, #pkts encrypt: 54712, #pkts digest: 54712

#pkts decaps: 31893, #pkts decrypt: 31893, #pkts verify: 31893

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

current outbound spi: A4FA947A

current inbound spi : ECCDFE4D

spi: 0xECCDFE4D (3972922957)

in use settings ={RA, Tunnel, NAT-T-Encaps, }

spi: 0xA4FA947A (2767885434)

in use settings ={RA, Tunnel, NAT-T-Encaps, }

local ident (addr/mask/prot/port): (192.168.2.225/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.100.5.94/255.255.255.255/0/0)

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

current outbound spi: 04E59B87

current inbound spi : B376C5E2

spi: 0xB376C5E2 (3010905570)

in use settings ={RA, Tunnel, NAT-T-Encaps, }

spi: 0x04E59B87 (82156423)

in use settings ={RA, Tunnel, NAT-T-Encaps, }

local ident (addr/mask/prot/port): (192.168.2.225/255.255.255.255/0/0) <-- this it the wrong subnet (It's the IP-address of the outside interface!!! it must be 10.200.60.0/255.255.255.0

remote ident (addr/mask/prot/port): (10.100.5.254/255.255.255.255/0/0) <-- this is the good subnet (HQ)

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

current outbound spi: 1A41E2BD

current inbound spi : 3CEAE27E

spi: 0x3CEAE27E (1022026366)

in use settings ={RA, Tunnel, NAT-T-Encaps, }

spi: 0x1A41E2BD (440525501)

in use settings ={RA, Tunnel, NAT-T-Encaps, }

Please rate or mark answered for helpful posts.

Daniel Leonard · ‎04-02-2013

Is there anyone who can help me with this?

Please rate or mark answered for helpful posts.

nate.borland · ‎07-25-2014

Did you find a solution to this? I am having the same issue - VPN client connects and the "local ident" shows the same address as the outside interface. Can't figure out why.

Daniel Leonard · ‎07-27-2014

Hi Nate,

You can try to check "clear tunneled management" (advanced easy VPN properties).

It is not clear to me, but a useful fix.

Please rate or mark answered for helpful posts.