Re: Can Ping SVI but not end hosts over IPsec VPN

danabersoch · ‎12-12-2013

Hi,

I am getting a very wierd issue over a VPN:

Headend: ASA5510

Encrypted networks:

172.21.160.0/24

172.21.161.0/24

172.21.190.0/24

Remote: 3560-X

(originally I had it as any network as I wanted to get all traffic outbound from the remote site to come through the vpn, I have now changed this to the below but I would like to put it back to 'any')

10.0.0.0/8

Phase 1 up

Phase 2 up

I can ping from a host at the headend to the remote site SVI's no problem but can't ping from the headend to any device attached to the switch, the devices attached to the switch currently are phones and wireless AP's but I have had the same result using a windows laptop.

I have checked all the configuration a 100 times and just can't understand it, has anyone seen this issue before?

Important bit of configs below:

Headend 5510:

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 general-attributes

default-group-policy LDN-GP

tunnel-group 2.2.2.2 ipsec-attributes

pre-shared-key *****

group-policy LDN-GP internal

group-policy LDN-GP attributes

vpn-filter none

ipv6-vpn-filter none

vpn-tunnel-protocol IPSec l2tp-ipsec

crypto map outside_map 50 match address LDN-CRYPTO-ACL

crypto map outside_map 50 set peer 2.2.2.2

crypto map outside_map 50 set transform-set ESP-AES-256-SHA

access-list LDN-CRYPTO-ACL extended permit ip 10.0.0.0 255.0.0.0 172.21.160.0 255.255.255.0

access-list LDN-CRYPTO-ACL extended permit ip 10.0.0.0 255.0.0.0 172.21.161.0 255.255.255.0

access-list LDN-CRYPTO-ACL extended permit ip 10.0.0.0 255.0.0.0 172.21.190.0 255.255.255.0

nat (inside,outside) source static S-NETWORKS S-NETWORKS destination static LDN-NETWORKS LDN-NETWORKS

object network S-NETWORKS

subnet 10.0.0.0 255.0.0.0

object network LDN-NETWORKS

subnet 172.21.160.0 255.255.224.0

sysopt connection permit-vpn

Remote 3560:

crypto isakmp policy 10

encr aes

hash sha256

authentication pre-share

group 5

!

crypto isakmp policy 20

encr aes 256

authentication pre-share

group 2

crypto isakmp key XXX address 1.1.1.1

!

crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac

!

crypto map HEAD-OFFICE 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set ESP-AES-SHA

match address HEAD-OFFICE-CRYPTO-ACL

ip access-list extended HEAD-OFFICE-CRYPTO-ACL

permit ip 172.21.160.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 172.21.161.0 0.0.0.255 10.0.0.0 0.255.255.255

permit ip 172.21.190.0 0.0.0.255 10.0.0.0 0.255.255.255

Routing table is showing all connected networks and the default route to the ISP gateway so traffic goiung to the 10.0.0.0/8 should use the deault route.

No NATing configured as I don't want local breakout (and 3560 doesn't support)

All ACL's have been removed off the interfaces.

I do have auto qos configured, not changed any of the defaults.

shine pothen · ‎12-12-2013

please paste the output for

sh cry isa sa

sh crypto ipsec sa

from both the devices

you mean to say you have configured NAT or configured NO NAT or did not configure NO NAT at all ..was not able to understand that ?

danabersoch · ‎12-13-2013

Thanks a lot for your reply, unfiortunately I don't have access to the kit right now but as I said phase 1 is up so that's what sh crypto isakmp will show and phase 2 is up for each subnet, I can see decaps and encaps on both ends.

In regards to NAT - I have NONAT's configured on the ASA and do not have NAT configured on the 3560 at all.

A colleague has mentioned that it could be a platform limitation which is what I suspected, I think the reason that I can configure the tunnel and it comes up is becasuse the platform does support ipsec for management-plane traffic - this would explain why I can get to the switches SVI's and nothing else.

I will update the post once I have tested using something else.