07-09-2016 11:07 PM - edited 02-21-2020 08:53 PM
Hi I've a Site to Site tunnel running between a ASA 5520 (8.2 (2) ) and ASA 5510 (8.2(2)) code.
The tunnels works fine and i can ping both ways.
I've a remote Access VPN terminating to the 5520. Now i can ping anything within 5520 but not across ie nothing on 5540.
Similarly if i connect to 5540 i can ping 5540 but not 5520.
I had done split tunnel previously but now i pushed a default route and it still the same.
when i do a debug icmp trace on 5520 i see debugs when i ping the 5520 but no icmp debugs when i ping the 5510.
Checked all configuration but it i did not found anything.
Please help.
Config files are attached.
Okay after huge debugging i found this in asp drop
8: 13:22:07.610350 10.10.80.201 > 10.10.60.1: icmp: echo request Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
11: 13:22:10.992441 10.10.80.201 > 10.10.60.1: icmp: echo request Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
18: 13:22:15.719521 10.10.80.201 > 10.10.60.1: icmp: echo request Drop-reason: (unable-to-create-flow) Flow denied due to resource limitation
I checked on the firewall and there is no resource or connection crunch
privatis(config)# sh mem
Free memory: 348097056 bytes (65%)
Used memory: 188773856 bytes (35%)
------------- ----------------
Total memory: 536870912 bytes (100%)
privatis(config)# sh resource usage
Resource Current Peak Limit Denied Context
SSH 1 4 5 0 System
Conns 6 325 280000 0 System
Xlates 1 579 N/A 0 System
Hosts 12 202 N/A 0 System
Not sure if this is a bug or something.
Solved! Go to Solution.
07-15-2016 11:54 PM
I just read the error more closely. It is complaining about a resource limitation. As you note, there does not appear to be a resource limitation. So perhaps we have a software bug. Can you upgrade to at least 8.4(7)?
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s2.html
Name: unable-to-create-flow
Flow denied due to resource limitation:
This counter is incremented and the packet is dropped when flow creation fails due to
a system resource limitation. The resource limit may be either:
1) system memory
2) packet block extension memory
3) system connection limit
Causes 1 and 2 will occur simultaneously with flow drop reason "No memory to complete
flow".
Recommendation:
- Observe if free system memory is low.
- Observe if flow drop reason "No memory to complete flow" occurs.
- Observe if connection count reaches the system connection limit with the command
"show resource usage".
07-10-2016 02:15 PM
You'll need to extended your site to site VPN to also include the pool of IP addresses used for the remote access VPN. Then you'll need to check your NAT rules.
07-14-2016 09:10 AM
Hi Philip,
Thanks for looking into this. I'm not sure if you have looked into the config yet.
Here are the snippets
nat (inside) 0 access-list vpn-nat0
access-list vpn-nat0 extended permit ip 10.10.80.0 255.255.254.0 10.10.60.0 255.255.254.0
ip local pool ra-pool 10.10.80.200-10.10.80.250 mask 255.255.254.0
This is the crypto map
crypto map cybertron 20 match address decepticons2
crypto map cybertron 20 set peer 207.166.133.2
access-list decepticons2 extended permit ip 10.10.80.0 255.255.254.0 10.10.60.0 255.255.254.0
Please note that both sites can access each other and the tunnel is up
However the Remote users cannot ping remote site but can ping local site.
I still see the same errors
07-14-2016 02:07 PM
Try adding this command:
same-security-traffic permit intra-interface
07-15-2016 04:00 AM
Its already added
boot system disk0:/asa804-k8.bin
ftp mode passive
<--- More --->
same-security-traffic permit inter-interface
07-15-2016 11:54 PM
I just read the error more closely. It is complaining about a resource limitation. As you note, there does not appear to be a resource limitation. So perhaps we have a software bug. Can you upgrade to at least 8.4(7)?
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/s2.html
Name: unable-to-create-flow
Flow denied due to resource limitation:
This counter is incremented and the packet is dropped when flow creation fails due to
a system resource limitation. The resource limit may be either:
1) system memory
2) packet block extension memory
3) system connection limit
Causes 1 and 2 will occur simultaneously with flow drop reason "No memory to complete
flow".
Recommendation:
- Observe if free system memory is low.
- Observe if flow drop reason "No memory to complete flow" occurs.
- Observe if connection count reaches the system connection limit with the command
"show resource usage".
03-06-2017 12:13 AM
I changed the VPn pool ip scope and that seems to have fixed the issue.
Earlier this pool was overlapping with Inside ip scope which caused the issue.
07-15-2016 09:34 AM
Hi,
I checked the config you did and so far, they are fine on ASA5520. To you have a dynamic site to site between the two ASAs or static site to site ?
07-15-2016 10:31 PM
There is nothing dynamic here. The Peers has been statically defined on each firewall.
Any thoughts ?
NOTE: I added both Same-security command and there is no difference.
07-16-2016 01:18 AM
Hi,
Okay, I checked the config for ASA5510 but I couldn't find any site to site tunnel with 5520, that's why I asked if we have a dynamic there.
Mainly, we need to add in the crypto ACL on the 5510 ASA to permit the traffic to the VPN pool and fix NAT also there.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: