Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1022
Views
0
Helpful
5
Replies

Can't get VPN Tunnel up on ASA

dbuckley77
Level 1
Level 1

‎08-07-2020 08:07 AM - edited ‎11-04-2020 11:09 AM

Having an issue getting a tunnel between an ASA-5505 and a Palo Alto up and pretty sure the issue is on the ASA.  I ran packet tracer on the ASA and saw  Drop-reason: (acl-drop) Flow is denied by configured rule   I have pasted the ASA config and packet tracer output below.

 

XXXXXX-ASA-5505# sh run
: Saved
:
: Serial Number: XXXXXXXXXX
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.1(7)23
!
hostname XXXXXX-ASA-5505
domain-name XXXXXXXXX
enable password XXXXXXXX encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.50.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 50.xxx.xxx.xxx 255.255.255.252
!
boot system disk0:/asa917-23-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name XXXXXX
object network XXXXXXXXX
subnet 10.100.50.0 255.255.255.0
object network XXXXXXX
subnet 10.100.0.0 255.255.0.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_0.0.0.0
host 0.0.0.0
object-group network Allowed_XXXXXX
network-object 10.100.4.0 255.255.255.0
network-object 10.100.5.0 255.255.255.0
network-object 10.100.6.0 255.255.255.0
network-object 10.100.95.0 255.255.255.192
access-list vpn extended permit ip 10.100.50.0 255.255.255.0 object-group Allowed_XXXXXX
pager lines 24
logging enable
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static XXXXXX XXXXXXXXXX destination static XXXXXXXXX XXXXXXXXX no-proxy-arp route-lookup
!
object network XXXXXXXXX
nat (inside,outside) dynamic interface
object network obj_any
nat (inside,outside) dynamic obj_0.0.0.0
route outside 0.0.0.0 0.0.0.0 50.212.118.138 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set Trans1 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set Trans2 esp-aes esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map vpnmap 10 match address vpn
crypto map vpnmap 10 set peer 71.XXX.XXX.XXX
crypto map vpnmap 10 set ikev1 transform-set Trans2
crypto map vpnmap 10 set security-association lifetime seconds 14400
crypto map vpnmap interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 28800
telnet timeout 5
ssh stricthostkeycheck
ssh 10.100.50.0 255.255.255.0 inside
ssh 10.100.95.0 255.255.255.0 inside
ssh 10.100.6.0 255.255.255.0 inside
ssh 10.100.5.0 255.255.255.0 inside
ssh 71.X.X.X 255.255.255.224 outside
ssh timeout 25
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside

dhcpd dns 8.8.8.8 4.4.4.4
dhcpd lease 7200
!
dhcpd address 10.100.50.50-10.100.50.81 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption des-sha1
username admin password XXXX encrypted privilege 15
tunnel-group 71.XXX.XXX.XXX type ipsec-l2l
tunnel-group 71.XXX.XXX.XXX ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ec14ada55d611ccf79f726afacdd83cb
: end

 


XXXX-ASA-5505# packet-tracer input inside tcp 10.100.50.1 80 10.100.95.1 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,any) source static XXXXXXXXX-Data XXXXXXXXX-Data destination static XXXXX-Networks XXXX-Networks no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.100.95.1/80 to 10.100.95.1/80

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

 

 

 

 

Labels:
0 Helpful
5 Replies 5

ngkin2010
Level 7
Level 7

‎08-08-2020 12:38 AM

Hi,

 

When you run packet tracer command, do not use ASA's IP address. Change to other IP address like (10.100.50.2), and post the result again. 

 

packet-tracer input inside tcp 10.100.50.2 80 10.100.95.1 80

After running the above packet tracer, ASA would try to negotiate IPSec with remote peer. Please also post the result of the below command:

 

show crypto ikev1 sa

show crypto iekv2 sa

 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎08-08-2020 11:13 AM

I understand the desire to hide sensitive information. But the way that the original poster is masking things makes it very difficult to understand what is going on. For example one frequent cause of symptoms similar to what is described is issues with the exemption of vpn traffic from address translation. What is posted is this

nat (inside,any) source static XXXXXX XXXXXXXXXX destination static XXXXXXXXX XXXXXXXXX no-proxy-arp route-lookup

I have no idea whether this correctly exempts vpn traffic or not.

 

In addition to the requested show commands it might be helpful to see output of debug crypto isakmp from the ASA.

HTH

Rick
0 Helpful

dbuckley77
Level 1
Level 1
In response to Richard Burts

‎08-20-2020 05:57 AM

I did another packet trace using a host behind the ASA to a host behind the far end firewall.  The 10.100.50.50 is behind the ASA and the 10.100.95.11 is on the far end.

 

DPHCS-ASA-5505# packet-tracer input phdata tcp 10.100.50.50 80 10.100.95.11 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (phdata,any) source static PublichHealth-Data PublichHealth-Data destination static City-Networks City-Networks no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.100.95.11/80 to 10.100.95.11/80

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (phdata,any) source static PublichHealth-Data PublichHealth-Data destination static City-Networks City-Networks no-proxy-arp route-lookup
Additional Information:
Static translate 10.100.50.50/80 to 10.100.50.50/80

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: phdata
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

dbuckley77
Level 1
Level 1

‎11-04-2020 11:09 AM

 
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to dbuckley77

‎11-04-2020 12:26 PM

Not sure why this response is empty and assume it is an attempt to restart the discussion. Since the names that appear here are not found in the config posted earlier would I be correct to assume that changes have been made in the config? If so an updated copy of the config would be helpful.

 

In this packet trace at least the addresses are not masked and it does allow us to understand some things. It does appear that the addresses are correctly exempted from address translation. And the problem seems to appear at the encryption stage. Perhaps an updated config might shed some light? If not then I suggest that instead of focusing on packet trace that you attempt to send an IP packet from the source to the destination, after turning on debug for isakmp (and perhaps for ipsec) and let us see what negotiation takes place (or does not take place).

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents