Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1785
Views
0
Helpful
1
Replies

ASA: VPN not encrypting Traffic

hashimwajid1
Level 3
Level 3

‎03-26-2019 08:21 AM

Hi Experts 

 

we have site to site tunnel between 2 ASA firewall. and Site A is not doing encryption from source 10.255.220.0 to destination 192.168.177.0 ,  rest all is fine.

 

                        Site A     -------S  T  S----------Site B

                      ASA 5512                                          ASA5525

                   10.255.220.0                                      192.168.177.0

                   10.255.204.0                                      192.168.173.0

                   10.255.228.0 

 

VPN is UP and all subnet are able to ping to each other but one subnet 10.255.220.0 on site A is not pinging to subnet 192.168.177.0 on Site B and vice versa.

 

ther is no connectivty between   10.255.220.0 and 192.168.177.0    rest all is working 

 

on site A its showing that Firewall is not encrypting packet for 192.168.177.0 from 10.255.220.0 subnet but its decrypting packet (which mean its receiving packet from 192.168.177.0 and its doing decryption but its not doing any encryption for the outgoing packet)

 

i have tried following so far but not succeeded 

 

1-  i check ESP on both side and it seems to me ok 

2-  i given these 2 command   clear crypto isakmp sa and clear crypto ipsec sa   but no success

3-  i put NAT statement on top but no success

4-  in packet tracer its showing traffic is going to tunnel and  no issue in packet tracing output.

 

 

below is  the Packet tracer command and IP sec SA command.

 

Site A firewalll

 

 

SITE-A-FW# show crypto ipsec sa 

 

     

      access-list VPN-INTERSTING-TRAFIIC-TO-OSS extended permit ip 10.255.0.0 255.255.0.0 192.168.177.0 255.255.255.0

      local ident (addr/mask/prot/port): (10.255.220.0/255.255.252.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.177.0/255.255.255.0/0/0)

      current_peer: 2.2.2.2   (i changed the public ip)

 

 

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 42, #pkts decrypt: 42, #pkts verify: 42

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

 

      local crypto endpt.: 1.1.1.1/4500, remote crypto endpt.: 2.2.2.2/4500

      path mtu 1500, ipsec overhead 82(52), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: 8C833372

      current inbound spi : D4156C75

 

    inbound esp sas:

      spi: 0xD4156C75 (3558173813)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv2, }

         slot: 0, conn_id: 221184, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4101117/28717)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x000007FF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x8C833372 (2357408626)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv2, }

         slot: 0, conn_id: 221184, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4055040/28717)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

 

    Crypto map tag: outside_map, seq num: 5, local addr: 192.168.255.2

 

 

 

SITE B 

 

SITE-B-FW # sh crypto ipsec sa 

 

      access-list crypto-Toyota-Marketing extended permit ip 192.168.177.0 255.255.255.0 10.255.220.0 255.255.252.0

      local ident (addr/mask/prot/port): (192.168.177.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (10.255.220.0/255.255.252.0/0/0)

      current_peer: 1.1.1.1     changed the public ip 

 

 

      #pkts encaps: 106, #pkts encrypt: 106, #pkts digest: 106

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 106, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

 

      local crypto endpt.: 2.2.2.2/4500, remote crypto endpt.: 1.1.1.1/4500

      path mtu 1500, ipsec overhead 82(52), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: D4156C75

      current inbound spi : 8C833372

 

    inbound esp sas:

      spi: 0x8C833372 (2357408626)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv2, }

         slot: 0, conn_id: 80916480, crypto-map: outside_map_1

         sa timing: remaining key lifetime (kB/sec): (4147200/28597)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0xD4156C75 (3558173813)

         transform: esp-aes-256 esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, IKEv2, }

         slot: 0, conn_id: 80916480, crypto-map: outside_map_1

         sa timing: remaining key lifetime (kB/sec): (4101113/28595)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

 

NAT Statement on SITE A Firewall

 

TMS-FW# show nat
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source static INET_NAT_10.255.220.0 INET_NAT_10.255.220.0 destination static OSI_US_VPN_REMOTE OSI_US_VPN_REMOTE no-proxy-arp route-lookup
translate_hits = 4468, untranslate_hits = 4470

 

Packet-Tracer output on Firewall A Site A

 

 

SITE-A-FW# packet-tracer input inside icmp 10.255.220.20 8 0 192.168.77.30 det

 

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa301ca00, priority=13, domain=capture, deny=false
hits=6061879, user_data=0x7fffa5a407f0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=Inside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa1d8cab0, priority=1, domain=permit, deny=false
hits=375243922, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Inside, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 192.168.177.0 255.255.255.0 via 192.168.255.1, Outside

Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,Outside) source static INET_NAT_10.255.220.0 INET_NAT_10.255.220.0 destination static OSI_US_VPN_REMOTE OSI_US_VPN_REMOTE no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Outside
Untranslate 192.168.177.30/0 to 192.168.177.30/0

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_OUT in interface Inside
access-list INSIDE_OUT extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa1eb03d0, priority=13, domain=permit, deny=false
hits=5968890, user_data=0x7fff9e08a380, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,Outside) source static INET_NAT_10.255.220.0 INET_NAT_10.255.220.0 destination static OSI_US_VPN_REMOTE OSI_US_VPN_REMOTE no-proxy-arp route-lookup
Additional Information:
Static translate 10.255.220.20/0 to 10.255.220.20/0
Forward Flow based lookup yields rule:
in id=0x7fffa3434200, priority=6, domain=nat, deny=false
hits=2181, user_data=0x7fffa3434810, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.255.220.0, mask=255.255.252.0, port=0, tag=0
dst ip/id=192.168.177.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=Outside

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa13bae20, priority=0, domain=nat-per-session, deny=true
hits=6703064, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa1d947a0, priority=0, domain=inspect-ip-options, deny=true
hits=7796434, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa37ec060, priority=70, domain=inspect-icmp, deny=false
hits=21715, user_data=0x7fffa2c269b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 10
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa1d94030, priority=66, domain=inspect-icmp-error, deny=false
hits=84425, user_data=0x7fffa1d935a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=any

Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffa2d67750, priority=70, domain=encrypt, deny=false
hits=138117, user_data=0x3174, cs_id=0x7fffa2709690, reverse, flags=0x0, protocol=0
src ip/id=10.255.220.0, mask=255.255.252.0, port=0, tag=0
dst ip/id=192.168.177.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=Outside

Phase: 12
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside,Outside) source static INET_NAT_10.255.220.0 INET_NAT_10.255.220.0 destination static OSI_US_VPN_REMOTE OSI_US_VPN_REMOTE no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffa2c29040, priority=6, domain=nat-reverse, deny=false
hits=2206, user_data=0x7fffa1a24430, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.255.220.0, mask=255.255.252.0, port=0, tag=0
dst ip/id=192.168.177.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=Outside

Phase: 13
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff9b3f7ee0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=370621, user_data=0x4d94, cs_id=0x7fffa2709690, reverse, flags=0x0, protocol=0
src ip/id=192.168.177.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.255.220.0, mask=255.255.252.0, port=0, tag=0, dscp=0x0
input_ifc=Outside, output_ifc=any

Phase: 14
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffa13bae20, priority=0, domain=nat-per-session, deny=true
hits=6703066, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 15
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fffa1deeda0, priority=0, domain=inspect-ip-options, deny=true
hits=7871295, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Outside, output_ifc=any

Phase: 16
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7770088, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

 

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎03-26-2019 09:51 AM

Hi,
Can you ping a device on the 10.255.220.0/22 network from the local ASA?
Does the 10.255.220.0 network have a route via the local ASA? is it directly connected or is there a static route?

HTH
0 Helpful
Customers Also Viewed These Support Documents