04-12-2017 08:04 AM
Hi,
I have recently set up a site to site IPSec VPN between two Cisco ASAs. However, I have only been seeing one way traffic on both ASAs - one added complication is that one of the endpoints sits one hop away from the ASA (see attached diagram).
When I ping from 10.1.0.2 to 10.2.0.2, I am seeing traffic counters on both ASAs VPN monitors increase, but only one way, there is no return traffic.
When I ping from 10.2.0.2 to 10.1.0.2, I do not see any traffic counters increase on either ASA.
I am able to ping from 10.2.0.2 to 172.22.100.30 (and back).
I am struggling to understand how traffic is not being passed over the VPN from the ASA 5512 back to the ASA 5505 as the configurations are near identical.
Please let me know if there is any more iformation I can provide.
-Gareth
04-25-2017 05:51 AM
5512:
CLL-ASA5512# packet-tracer input CUST-TEST-VPN tcp 172.22.100.29 80 10.1.0.2 8$
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (CUST-TEST-VPN,Internet) source static VPN-Test-Interface VPN-Test-Interface destination static VPN-Test-LAN VPN-Test-LAN no-proxy-arp
Additional Information:
NAT divert to egress interface Internet
Untranslate 10.1.0.2/80 to 10.1.0.2/80
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CUST-TEST-VPN_access_in in interface CUST-TEST-VPN
access-list CUST-TEST-VPN_access_in extended permit ip 172.22.100.28 255.255.255.252 object VPN-Test-LAN log
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffab823390, priority=13, domain=permit, deny=false
hits=26, user_data=0x7fffa6c9bd00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.22.100.28, mask=255.255.255.252, port=0, tag=0
dst ip/id=10.1.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=CUST-TEST-VPN, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (CUST-TEST-VPN,Internet) source static VPN-Test-Interface VPN-Test-Interface destination static VPN-Test-LAN VPN-Test-LAN no-proxy-arp
Additional Information:
Static translate 172.22.100.29/80 to 172.22.100.29/80
Forward Flow based lookup yields rule:
in id=0x7fffaae53170, priority=6, domain=nat, deny=false
hits=40, user_data=0x7fffab9f3710, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.22.100.28, mask=255.255.255.252, port=0, tag=0
dst ip/id=10.1.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=CUST-TEST-VPN, output_ifc=Internet
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa341a7f0, priority=1, domain=nat-per-session, deny=true
hits=778451, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffac124450, priority=0, domain=inspect-ip-options, deny=true
hits=40, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=CUST-TEST-VPN, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: inspect-pptp
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
inspect pptp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffac13b260, priority=70, domain=inspect-pptp, deny=false
hits=41, user_data=0x7fffab818f40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=CUST-TEST-VPN, output_ifc=any
Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fffab845890, priority=70, domain=encrypt, deny=false
hits=2, user_data=0x0, cs_id=0x7fffabf2bd70, reverse, flags=0x0, protocol=0
src ip/id=172.22.100.28, mask=255.255.255.252, port=0, tag=0
dst ip/id=10.1.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=Internet
Result:
input-interface: CUST-TEST-VPN
input-status: up
input-line-status: up
output-interface: Internet
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
5505:
ciscoasa# packet-tracer input Inside tcp 10.1.0.2 80 172.22.100.29 80 detailed
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc0bbe48, priority=1, domain=permit, deny=false
hits=90, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.22.100.28 255.255.255.252 outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside,outside) source static NETWORK_OBJ_10.1.0.0_24 NETWORK_OBJ_10.1.0.0_24 destination static VPN-Test-VRF VPN-Test-VRF no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 172.22.100.29/80 to 172.22.100.29/80
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in in interface Inside
access-list Inside_access_in extended permit ip object NETWORK_OBJ_10.1.0.0_24 object VPN-Test-VRF log
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc10fca0, priority=13, domain=permit, deny=false
hits=7, user_data=0xca0792f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.1.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=172.22.100.28, mask=255.255.255.252, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside,outside) source static NETWORK_OBJ_10.1.0.0_24 NETWORK_OBJ_10.1.0.0_24 destination static VPN-Test-VRF VPN-Test-VRF no-proxy-arp route-lookup
Additional Information:
Static translate 10.1.0.2/80 to 10.1.0.2/80
Forward Flow based lookup yields rule:
in id=0xcc10c188, priority=6, domain=nat, deny=false
hits=74, user_data=0xcc10b838, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.1.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=172.22.100.28, mask=255.255.255.252, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=outside
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xc826ac90, priority=1, domain=nat-per-session, deny=true
hits=717, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xcc0c1f38, priority=0, domain=inspect-ip-options, deny=true
hits=83, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Inside, output_ifc=any
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcca92240, priority=70, domain=encrypt, deny=false
hits=1, user_data=0xee2c4, cs_id=0xcc8cae10, reverse, flags=0x0, protocol=0
src ip/id=10.1.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=172.22.100.28, mask=255.255.255.252, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 9
Type: ACCESS-LIST
Subtype: filter-aaa
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xcb993928, priority=12, domain=filter-aaa, deny=true
hits=70, user_data=0xca0797f0, filter_id=0x0(-implicit deny-), protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Thanks,
Gareth
04-25-2017 06:27 AM
Please try to remove the vpn filter from both sites and test. Let me know how it goes.
-
AJ
04-25-2017 06:56 AM
I just noticed something that surprises me. I am not sure whether it relates to the problem but want to ask about it. On the 5512 the crypto map specifies the peer address as if that address is static
crypto map Internet_map3 1 set peer <Cisco-5505-Public-IP>
But in the config posted for the 5505 the outside interface learns its IP using DHCP. When a device learns its outside IP using DHCP it usually means that the peer would have a dynamic crypto map entry to accommodate the dynamic IP. Can you confirm or comment on what I observe?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide