ASA site to site VPN, anyconnect users cannot access remote site, unless remote site initialises the...

Tim Jeens · ‎01-07-2021

Hi All,

Slightly long title there, but this one is strange to me..

so:

I have a ASA site to site VPN to a remote office in the USA, from a UK office.

I have made it so anyconnect users can access this remote site, and this works fine.

BUT.. overnight it stops working and the anyconnect stop being able to access the remote site.

That is until I go on my UK office network, RDP to any USA server, and simply ping a anyconnect user.

Then it all springs to life...

Does any one have idea what's going on, and how to fix it / keep it alive?

Ironically only started doing this the other day.. after a reload, even though I saved config first.

Thanks,

Tim Jeens

balaji.bandi · ‎01-07-2021

On the ASA there are three modes RE how the negotiation actually starts

Answer-Only: Specifies that this peer only responds to inbound IKE connections first during the initial proprietary exchange to determine the appropriate peer to connect to.

Bidirectional (Default): Specifies that this peer can accept and originate connections based on this crypto map entry. This is the default connection type for all Site-to-Site connections. [Only if interesting traffic is matched]

Originate-Only: Specifies that this peer initiates the first proprietary exchange to determine the appropriate peer to connect to.

crypto map map-name seq-num set connection-type { answer-only | originate-only | bidirectional }

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c6.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎01-07-2021

Hi @Tim Jeens

One end of the VPN tunnel could be configure to only respond/answer-only, which would mean the remote end had to send interesting traffic in order to establish the tunnel. What is the VPN configuration of your ASAs?

Tim Jeens · ‎01-07-2021

Hi Guys,

Thanks for both of your prompt responses, I've extracted and modified the hopefully relevant pieces of my configs:

UK side:

object network inside-network
subnet 192.168.0.0 255.255.255.0

object network objvpnpool
subnet 192.168.20.0 255.255.255.0

object network remote-Network
subnet 10.10.10.0 255.255.255.0



access-list VPNINTERESTINGTRAFFIC extended permit ip object inside-network object remote-Network 
access-list VPNINTERESTINGTRAFFIC extended permit ip object objvpnpool object remote-Network 
access-list VPNINTERESTINGTRAFFIC extended permit icmp object objvpnpool object remote-Network 
access-list VPNINTERESTINGTRAFFIC extended permit tcp object objvpnpool object remote-Network 
access-list VPNINTERESTINGTRAFFIC extended permit ip object remote-Network object objvpnpool 
access-list VPNINTERESTINGTRAFFIC extended permit icmp object remote-Network object objvpnpool 
access-list VPNINTERESTINGTRAFFIC extended permit tcp object remote-Network object objvpnpool


nat (outside,outside) source static objvpnpool objvpnpool destination static remote-Network remote-Network no-proxy-arp route-lookup
nat (outside,outside) source static remote-Network remote-Network destination static objvpnpool objvpnpool no-proxy-arp route-lookup

crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-1


crypto map crypto-map 1 match address VPNINTERESTINGTRAFFIC
crypto map crypto-map 1 set peer x.x.x.x
crypto map crypto-map 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map crypto-map interface outside

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key xxxxxxxxxxxxx
ikev2 local-authentication pre-shared-key xxxxxxxxxxxxx

------------------------------------------------------------------------

USA Side:

object network inside-network
subnet 10.10.10.0 255.255.255.0
object network UK-Network
subnet 192.168.0.0 255.255.255.0
object network UKobjvpnpool
subnet 192.168.20.0 255.255.255.0


access-list VPN-INTERESTING-TRAFFIC extended permit ip object inside-network object UK-Network 
access-list VPN-INTERESTING-TRAFFIC extended permit ip object inside-network object UKobjvpnpool

nat (inside,outside) source static inside-network inside-network destination static CDP-Network CDP-Network no-proxy-arp route-lookup
nat (inside,outside) source static inside-network inside-network destination static UKobjvpnpool UKobjvpnpool no-proxy-arp route-lookup

crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-1


crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set peer x.x.x.x 
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key xxxxxxxxxxxxx
ikev2 local-authentication pre-shared-key xxxxxxxxxxxxx

Thanks,

Tim Jeens

balaji.bandi · ‎01-07-2021

by default it should be - bidirectional

as per the config not seen anything configure, it should be bidirectional

nothing harm adding that command in the crypto map and test.

crypto map m ap-name seq-num set connection-type { answer-only | originate-only | bidirectional }

Note : other option you can setup some monitoring system can walk snamp or node ping test not to break tunnel.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ASA site to site VPN, anyconnect users cannot access remote site, unless remote site initialises the connection