Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
897
Views
0
Helpful
1
Replies

ASA55xx Series Site-to-Site tunnel problem

itomercateo
Level 1
Level 1

‎11-08-2011 03:46 AM

Hi guys,

I have a serios problem debugging an Site-toSite VPN Tunnel issue and hope to find some help here.

Let me first explain the preconditions:

The tunnel is established between ASA5505 and ASA5510. On both devices runs the 8.4.1 Software. On ASA5510 site I use B-Class network devided in several C-Class networks (172.20.0.0/16 devidet in 172.20.10.0/24, 172.20.20.0/24 and so on). The other site is a smaller Network with 172.16.1.1/28.

I created on both sites the tunnel specific configuration and everything work's fine, the tunnel comes up and traffic flows.

So far so good, but now the problem:

After adding one more C-Class network to the cryptomaps, there was no traffic flow possible between this C-Class network and the other Site, the other traffic flows like before. Exchanging this C-Class network by another everything is fine, traffic flows. If I substitute in my cryptomaps all the C-Class networks with the B-Class network, I was able to pass traffic from the non-working C-Class network to the other Site.

So, only this one specific C-Class network won't work properly.

I begin to debug this by myself but become stuck on this point

ciscoasa# packet-tracer input inside icmp 172.16.1.3 8 0 172.20.10.1 detailed

…#All other Phases passed with allowed.

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0xcb8e0270, priority=70, domain=encrypt, deny=false

hits=3, user_data=0x0, cs_id=0xcb3d34f8, reverse, flags=0x0, protocol=0

src ip/id=172.16.1.0, mask=255.255.255.240, port=0

dst ip/id=172.20.10.0, mask=255.255.255.0, port=0, dscp=0x0

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

The other sites output is identicly, expect the src and dst are switched

How can I find the rule which is the reason for the dropped Packages? Do you have any other advices for me, debugging this problem?

Please let me know anymore info that is needed.

Labels:
0 Helpful
1 Reply 1

itomercateo
Level 1
Level 1

‎01-26-2012 01:43 AM

Problem solved by updating the Software.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents