cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
527
Views
0
Helpful
9
Replies

Cannot ping remote site over Remote Access VPN

sabyasachi161
Level 1
Level 1

Hi I've a Site to Site tunnel running between a ASA 5520 (8.2 (2) ) and ASA 5510 (8.2(2)) code.

The tunnels works fine and i can ping both ways.

I've a remote Access VPN terminating to the 5520. Now i can ping anything within 5520 but not across ie nothing on 5540.

Similarly if i connect to 5540 i can ping 5540 but not 5520.

I had done split tunnel previously but now i pushed a default route and it still the same.

when i do a debug icmp trace on 5520 i see debugs when i ping the 5520 but no icmp debugs when i ping the 5510.

Checked all configuration but it i did not found anything.

Please help.

Config files are attached.

Okay after huge debugging i found this in asp drop

8: 13:22:07.610350 10.10.80.201 > 10.10.60.1: icmp: echo request Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
  11: 13:22:10.992441 10.10.80.201 > 10.10.60.1: icmp: echo request Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
  18: 13:22:15.719521 10.10.80.201 > 10.10.60.1: icmp: echo request Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
 

I checked on the firewall and there is no resource or connection crunch

privatis(config)# sh mem
Free memory:       348097056 bytes (65%)
Used memory:       188773856 bytes (35%)
-------------     ----------------
Total memory:      536870912 bytes (100%)

privatis(config)# sh resource usage
Resource              Current         Peak      Limit        Denied Context
SSH                         1            4          5             0 System
Conns                       6          325     280000             0 System
Xlates                      1          579        N/A             0 System
Hosts                      12          202        N/A             0 System

Not sure if this is a bug or something.

1 Accepted Solution

Accepted Solutions

I just read the error more closely. It is complaining about a resource limitation.  As you note, there does not appear to be a resource limitation.  So perhaps we have a  software bug.  Can you upgrade to at least 8.4(7)?

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s2.html

Name: unable-to-create-flow
Flow denied due to resource limitation:
This counter is incremented and the packet is dropped when flow creation fails due to
a system resource limitation. The resource limit may be either:
1) system memory
2) packet block extension memory
3) system connection limit
Causes 1 and 2 will occur simultaneously with flow drop reason "No memory to complete
flow".
Recommendation:
- Observe if free system memory is low.
- Observe if flow drop reason "No memory to complete flow" occurs.
- Observe if connection count reaches the system connection limit with the command
"show resource usage".

View solution in original post

9 Replies 9

Philip D'Ath
VIP Alumni
VIP Alumni

You'll need to extended your site to site VPN to also include the pool of IP addresses used for the remote access VPN.  Then you'll need to check your NAT rules.

Hi Philip,

Thanks for looking into this. I'm not sure if you have looked into the config yet.

Here are the snippets

nat (inside) 0 access-list vpn-nat0

access-list vpn-nat0 extended permit ip 10.10.80.0 255.255.254.0 10.10.60.0 255.255.254.0

ip local pool ra-pool 10.10.80.200-10.10.80.250 mask 255.255.254.0

This is the crypto map

crypto map cybertron 20 match address decepticons2
crypto map cybertron 20 set peer 207.166.133.2

access-list decepticons2 extended permit ip 10.10.80.0 255.255.254.0 10.10.60.0 255.255.254.0

Please note that both sites can access each other and the tunnel is up

However the Remote users cannot ping remote site but can ping local site.

I still see the same errors

Try adding this command:

same-security-traffic permit intra-interface

Its already added

boot system disk0:/asa804-k8.bin
ftp mode passive
<--- More --->
              
same-security-traffic permit inter-interface

I just read the error more closely. It is complaining about a resource limitation.  As you note, there does not appear to be a resource limitation.  So perhaps we have a  software bug.  Can you upgrade to at least 8.4(7)?

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s2.html

Name: unable-to-create-flow
Flow denied due to resource limitation:
This counter is incremented and the packet is dropped when flow creation fails due to
a system resource limitation. The resource limit may be either:
1) system memory
2) packet block extension memory
3) system connection limit
Causes 1 and 2 will occur simultaneously with flow drop reason "No memory to complete
flow".
Recommendation:
- Observe if free system memory is low.
- Observe if flow drop reason "No memory to complete flow" occurs.
- Observe if connection count reaches the system connection limit with the command
"show resource usage".

I changed the VPn pool ip scope and that seems to have fixed the issue.

Earlier this pool was overlapping with Inside ip scope which caused the issue.

Dina Odeh
Level 1
Level 1

Hi, 

I checked the config you did and so far, they are fine on ASA5520. To you have a dynamic site to site between the two ASAs or static site to site ? 

There is nothing dynamic here. The Peers has been statically defined on each firewall.

Any thoughts ?

NOTE: I added both Same-security command and there is no difference.

Hi, 

Okay, I checked the config for ASA5510 but I couldn't find any site to site tunnel with 5520, that's why I asked if we have a dynamic there. 

Mainly, we need to add in the crypto ACL on the 5510 ASA to permit the traffic to the VPN pool and fix NAT also there. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: