01-27-2014 02:29 AM - edited 02-21-2020 07:27 PM
Hello,
I've successfully configured Cisco ASA 5512-x device. This includes internal networks connection, NAT and almost VPN.
Now the problem is that I can establish VPN tunnel from outside network. I can ping from vpn to inside network devices and vice-versa. I can resolve network names of internal devices and so on. When i try to use Remote desktop access or access to internal webpages, it seems, that everything is restricted or denied.
My config :
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address g.g.g.i 255.255.255.192
!
interface Redundant5
description Inside Interface
member-interface GigabitEthernet0/2
member-interface GigabitEthernet0/3
nameif Inside
security-level 100
ip address x.x.x.x 255.255.255.0
ipv6 address autoconfig
ipv6 enable
!
ftp mode passive
clock timezone EET 2
dns domain-lookup Inside
dns server-group DefaultDNS
name-server x.x.x.c
name-server x.x.x.y
domain-name MyNet.ee
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NETWORK_OBJ_x.y.c.0_24
subnet x.y.c.0 255.255.255.0
object network Gateway
host g.g.g.g
description Gateway address
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object udp
protocol-object tcp
object-group network MyNet
description MyNet Internal networks
network-object x.x.x.0 255.255.255.0
network-object k.k.k.0 255.255.255.0
network-object t.t.t.0 255.255.255.0
network-object p.p.p.0 255.255.255.0
network-object pt.pt.pt.0 255.255.255.0
object-group network VPN-network
description VPN Users Network Group
network-object object NETWORK_OBJ_x.y.c.0_24
object-group network DM_INLINE_NETWORK_2
group-object MyNet
group-object VPN-network
object-group service Inside-outside
description Inside-Outside policy for internet access
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq www
service-object tcp destination eq domain
service-object tcp destination eq https
service-object object 7046
service-object object 8008
service-object object MS-DS-SMB
service-object object RDMI-SHO-HTTP
service-object tcp destination eq pop3
service-object tcp destination eq smtp
access-list Inside_access_in extended permit ip object-group VPN-network object-group MyNet
access-list Inside_access_in extended permit ip object-group MyNet object-group VPN-network
access-list Inside_access_in extended permit ip object-group MyNet object-group MyNet
access-list Inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 object-group MyNet any
access-list Inside_access_in extended permit ip any object-group MyNet
access-list Inside_access_in extended permit ip any any
access-list global_access extended permit ip any object-group VPN-network
access-list global_access extended permit ip object-group VPN-network any
access-list global_access extended permit object-group Inside-outside any object-group MyNet
access-list global_access extended permit ip any object-group MyNet inactive
access-list global_access extended permit ip any any inactive
access-list ACL_IN extended permit ip object-group MyNet object-group VPN-network
access-list tcp_bypass extended permit tcp x.x.x.0 255.255.255.0 any
access-list tcp_bypass extended permit tcp k.k.k.0 255.255.255.0 any
access-list tcp_bypass extended permit tcp t.t.t.0 255.255.255.0 any
access-list tcp_bypass extended permit tcp p.p.p.0 255.255.255.0 any
access-list tcp_bypass extended permit tcp pt.pt.pt.0 255.255.255.0 any
access-list Inside_access_out extended permit ip any object-group VPN-network
access-list Inside_access_out extended permit ip object-group MyNet object-group MyNet
access-list Inside_access_out extended permit ip object-group MyNet any
access-list Inside_access_out extended permit ip any any
access-list Outside_access_out extended permit ip object-group VPN-network object-group MyNet
access-list Outside_access_out extended permit ip object-group MyNet object-group VPN-network
access-list Outside_access_out extended permit object-group Inside-outside object-group MyNet any
access-list Outside_access_out extended permit ip object-group MyNet any
access-list Outside_access_in extended permit ip object-group MyNet object-group VPN-network
access-list Outside_access_in extended permit ip object-group VPN-network object-group MyNet
access-list Outside_access_in extended permit object-group Inside-outside any object-group MyNet
access-list Outside_access_in extended permit ip any object-group MyNet inactive
access-list Internal-VPN standard permit x.y.c.0 255.255.255.0
ip local pool VPN-Pool x.y.c.50-x.y.c.150
nat (any,any) source static VPN-network VPN-network destination static MyNet MyNet
nat (Inside,any) source static MyNet MyNet destination static MyNet MyNet
!
nat (Inside,Outside) after-auto source dynamic MyNet interface
access-group Outside_access_in in interface Outside
access-group Outside_access_out out interface Outside
access-group Inside_access_in in interface Inside
access-group Inside_access_out out interface Inside
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 g.g.g.1 1
route Inside k.k.k.0 255.255.255.0 x.x.x.254 1
route Inside t.t.t.0 255.255.255.0 x.x.x.254 1
route Inside p.p.p.0 255.255.255.0 x.x.x.254 1
route Inside pt.pt.pt.0 255.255.255.0 x.x.x.254 1
route Inside 0.0.0.0 0.0.0.0 x.x.x.1 tunneled
dynamic-access-policy-record DfltAccessPolicy
aaa-server UM-Radius protocol radius
aaa-server UM-Radius (Inside) host x.x.x.y
key *****
no user-identity enable
user-identity default-domain LOCAL
no user-identity action mac-address-mismatch remove-user-ip
http server enable
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES256-SHA1_TRANS ESP-AES128-SHA1_TRANS ESP-AES256-SHA1
crypto dynamic-map DYN_OUTSIDE 10000 set reverse-route
crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE
crypto map MAP_OUTSIDE interface Outside
crypto ikev1 enable Outside
crypto ikev1 ipsec-over-tcp port 10000
crypto ikev1 policy 1000
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2000
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 3000
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
group-policy EMPLOYEES_L2TP_IPSEC internal
group-policy EMPLOYEES_L2TP_IPSEC attributes
dns-server value x.x.x.y x.x.x.c
vpn-tunnel-protocol l2tp-ipsec
default-domain value MyNet.ee
tunnel-group DefaultRAGroup general-attributes
address-pool (Inside) VPN-Pool
address-pool VPN-Pool
authentication-server-group UM-Radius
authentication-server-group (Inside) UM-Radius
authorization-server-group UM-Radius
accounting-server-group UM-Radius
default-group-policy EMPLOYEES_L2TP_IPSEC
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
I have been on this issue for few weeks now.
Thanks for advance.
Solved! Go to Solution.
02-06-2014 05:58 AM
Hi Madis,
Base on your explaination, you can access some hosts having windows 8 but not some others having windows 7 that are in the same LAN. This straight away point me to believe that it has nothing to do with configuration nor VPN on both the ASA and router. Because everything is setup between LAN to LAN subnets, so if you can access just 1 ip address within that subnet, you should be able to access everything else on that subnet.
The security appliance has received a duplicate of a previous Phase 1 or Phase 2 packet, and will transmit the last message. This message could indicate a network performance or connectivity issue where the peer is not receving sent packets in a timely manner.
•Action—Retransmitting last packet, or No last packet to transmit.
Recommended Action Verify network performance or connectivity.
You mention that you can't access the server. Can you enable the following:
management-access Inside
and check if you can ping the ASA Inside interface ip address after the above command is added.
If you can, then it doesn't seem to be a configuration issue. You might want to check if the server has any firewall enabled that might be blocking inbound connection from different subnets. See if you can access anything else within the same subnet.
Lastly, please share the output of following commands from your ASA:
1. show crypto debug-condition
2. show crypto ipsec df-bit
3. show crypto ipsec fragmentation
4. show crypto ipsec sa
5. show crypto ipsec stats
6. show crypto isakmp stats
7. show crypto isakmp sa
8. show crypto isakmp stats
9. show crypto protocol statistics
Best regards,
Sachin Garg
02-04-2014 01:11 AM
I identified the problem, but I have no idea how to solve it.
Problem is related to Service-Policy-s. As soon as I disable all service-policys, I can access from VPN network to internal network. As soon as I enable service-policy, VPN connection to internal network is gone.
I am really looking forward to get this working ASAP.
02-04-2014 08:13 AM
Hi Madis,
I have no experience with L2TP VPN on cisco ASA but I see something that I want to point out that might help out though.
nat (any,any) source static VPN-network VPN-network destination static MyNet MyNet
the any any interface statement might have your ASA confused on how to route traffic. I'll suggest you go
nat (Inside,Outside) source static VPN-network VPN-network destination static MyNet MyNet
This might help out though but I am not giving a sure guarantee about this. I remember i had a nat problem sometime ago having nat(any,any) I wasn't able to hit anywhere on the internet, not until i had to specify from what source to destination.
Try that and lets see how that goes. Also a packet-tracer output too would help.
Thanks
Teddy
02-04-2014 10:39 PM
Thank you, for replying. Unfortunatly this did not work.
Just in case, I repost my current config :
: Saved
:
ASA Version 9.1(3)
!
hostname myyr
domain-name MyNet.ee
enable password j65f6SZsn3TSP/30 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool VPN-Pool 192.168.15.50-192.168.15.150
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
shutdown
nameif management
security-level 0
ip address 192.168.10.1 255.255.255.0
!
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
nameif Outside
security-level 0
ip address 86.54.32.11 255.255.255.192
!
interface Redundant5
description Inside Interface
member-interface GigabitEthernet0/2
member-interface GigabitEthernet0/3
nameif Inside
security-level 100
ip address 192.168.0.1 255.255.255.0
ipv6 address autoconfig
ipv6 enable
!
boot system disk0:/asa913-smp-k8.bin
ftp mode passive
clock timezone EET 2
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 192.168.0.100
name-server 192.168.0.101
domain-name MyNet.ee
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VPN-Network
subnet 192.168.15.0 255.255.255.0
object network Gateway
host 86.54.32.11
description Gateway address
object network FTP
host 192.168.0.50
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
object-group network MyNet
description MyNet Internal networks
network-object 192.168.0.0 255.255.255.0
network-object 192.168.1.0 255.255.255.0
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
group-object MyNet
object-group service Inside-outside
description Inside-Outside policy for internet access
service-object tcp-udp destination eq domain
service-object tcp-udp destination eq www
service-object tcp destination eq domain
service-object tcp destination eq www
service-object tcp destination eq https
service-object udp destination eq domain
access-list Inside_access_in extended permit ip any4 object VPN-Network
access-list Inside_access_in extended permit ip object VPN-Network any4
access-list Inside_access_in extended permit ip object-group MyNet object-group MyNet
access-list Inside_access_in extended permit ip object-group MyNet any4
access-list Inside_access_out extended permit ip object VPN-Network any4
access-list Inside_access_out extended permit ip any4 object VPN-Network
access-list Inside_access_out extended permit ip object-group MyNet object-group MyNet
access-list Inside_access_out extended permit ip object-group MyNet any4
access-list Internal extended permit ip 192.168.0.0 255.255.255.0 any4
access-list Internal extended permit ip 192.168.1.0 255.255.255.0 any4
access-list Internal extended permit ip 192.168.2.0 255.255.255.0 any4
access-list Internal extended permit ip 192.168.3.0 255.255.255.0 any4
access-list Internal extended permit ip 192.168.4.0 255.255.255.0 any4
access-list Outside_access_in extended permit ip object VPN-Network any4
access-list Outside_access_in extended permit ip any4 object VPN-Network
!
tcp-map Internal
queue-limit 99 timeout 5
synack-data allow
invalid-ack allow
seq-past-window allow
tcp-options range 6 7 allow
tcp-options range 9 255 allow
no ttl-evasion-protection
urgent-flag allow
!
tcp-map tcp_bypass
queue-limit 99 timeout 5
synack-data allow
invalid-ack allow
seq-past-window allow
tcp-options range 6 7 allow
tcp-options range 9 255 allow
no ttl-evasion-protection
urgent-flag allow
!
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu Outside 1500
mtu Inside 1500
ip audit name Out_Inf info action alarm drop reset
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-715-100.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static MyNet MyNet destination static VPN-Network VPN-Network no-proxy-arp route-lookup
nat (Outside,Outside) source dynamic VPN-Network interface
nat (Inside,Outside) source dynamic MyNet interface
!
object network FTP
nat (Inside,Outside) static interface service tcp ftp ftp
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
access-group Inside_access_out out interface Inside
route Outside 0.0.0.0 0.0.0.0 194.126.100.1 1
route Inside 192.168.1.0 255.255.255.0 192.168.0.254 1
route Inside 192.168.2.0 255.255.255.0 192.168.0.254 1
route Inside 192.168.3.0 255.255.255.0 192.168.0.254 1
route Inside 192.168.4.0 255.255.255.0 192.168.0.254 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server UM-Radius protocol radius
aaa-server UM-Radius (Inside) host 192.168.0.101
key *****
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 Inside
http 192.168.10.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES256-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES128-SHA1_TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES256-SHA1 esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map DYN_OUTSIDE 10000 set ikev1 transform-set ESP-AES256-SHA1_TRANS ESP-AES128-SHA1_TRANS ESP-AES256-SHA1
crypto dynamic-map DYN_OUTSIDE 10000 set reverse-route
crypto map MAP_OUTSIDE 10000 ipsec-isakmp dynamic DYN_OUTSIDE
crypto map MAP_OUTSIDE interface Outside
crypto ca trustpool policy
crypto ikev1 enable Outside
crypto ikev1 policy 1000
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 2000
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 3000
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy EMPLOYEES_L2TP_IPSEC internal
group-policy EMPLOYEES_L2TP_IPSEC attributes
dns-server value 192.168.0.100 192.168.0.101
vpn-tunnel-protocol l2tp-ipsec
default-domain value MyNet.ee
tunnel-group DefaultRAGroup general-attributes
address-pool (Inside) VPN-Pool
address-pool VPN-Pool
authentication-server-group UM-Radius
authentication-server-group (Inside) UM-Radius
authorization-server-group UM-Radius
accounting-server-group UM-Radius
default-group-policy EMPLOYEES_L2TP_IPSEC
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
!
class-map inspection_default
match default-inspection-traffic
class-map tcp_bypass
description "TCP traffic bypass"
match any
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map global-policy
class class-default
user-statistics accounting
policy-map tcp_bypass_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass
!
service-policy tcp_bypass_policy interface Inside
And it really seems somekind of a problem with service-policy. Seems like global policy is still enabled and dropping something.
VPN starts working ASAP i remove all service-policys. Unfortunatly, I can not do this because then our intranet stops working.
So it is like when I disable service-policy - VPN works, intranet does not work.
When I enable service-policy(for tcp bypass) - Intranet works, VPN does not work
02-05-2014 10:20 AM
Could you please reply whay you have used these NATs
nat (Inside,Outside) source static MyNet MyNet destination static VPN-Network VPN-Network no-proxy-arp route-lookup
nat (Outside,Outside) source dynamic VPN-Network interface ---- > what is this NAT ??
nat (Inside,Outside) source dynamic MyNet interface
!
object network FTP
nat (Inside,Outside) static interface service tcp ftp ftp
02-06-2014 04:26 AM
nat (Outside,Outside) source dynamic VPN-Network interface
---- > what is this NAT ??
I am using this in order to access internet through VPN. I am not using split tunnel VPN.
Now I was able to get VPN connection up and even acces few pages on internet. Also I could connect with RDP to our server. So it's now packet fragmentation problem.
After i added these commands :
sysopt connection tcpmss 1300
sysopt connection permit-vpn
everything started to work (atleast for me), but other computers were unable to set up VPN connection. Only two computers which had established VPN tunnels successfully. One of them is Windows8 and other Windows7. Windows 8 have not had any trouble connecting to VPN.
02-06-2014 05:32 AM
After a little more debugging I see the problem why Windows 7 client cannot connect. Log shows : Duplicate Phase 2 packet detected. Retransmitting last packet.
Windows keeps doing this until connection times out.
02-06-2014 05:58 AM
Hi Madis,
Base on your explaination, you can access some hosts having windows 8 but not some others having windows 7 that are in the same LAN. This straight away point me to believe that it has nothing to do with configuration nor VPN on both the ASA and router. Because everything is setup between LAN to LAN subnets, so if you can access just 1 ip address within that subnet, you should be able to access everything else on that subnet.
The security appliance has received a duplicate of a previous Phase 1 or Phase 2 packet, and will transmit the last message. This message could indicate a network performance or connectivity issue where the peer is not receving sent packets in a timely manner.
•Action—Retransmitting last packet, or No last packet to transmit.
Recommended Action Verify network performance or connectivity.
You mention that you can't access the server. Can you enable the following:
management-access Inside
and check if you can ping the ASA Inside interface ip address after the above command is added.
If you can, then it doesn't seem to be a configuration issue. You might want to check if the server has any firewall enabled that might be blocking inbound connection from different subnets. See if you can access anything else within the same subnet.
Lastly, please share the output of following commands from your ASA:
1. show crypto debug-condition
2. show crypto ipsec df-bit
3. show crypto ipsec fragmentation
4. show crypto ipsec sa
5. show crypto ipsec stats
6. show crypto isakmp stats
7. show crypto isakmp sa
8. show crypto isakmp stats
9. show crypto protocol statistics
Best regards,
Sachin Garg
02-06-2014 06:29 AM
Hi Sachin,
Here is a small misunderstanding. These Windows 7 and Windows 8 clients are tryin to set up VPN access from external network. Windows 8 can access without any problem. Other Windows 7 client is having issues. Meanwhile, same external network, same settings different machine can connect.
It's like 2 PCs can connect and all other 10 cannot connect.
After fiddling with cisco config retransmitting thing went away but client is still unable to connect.
1. show crypto debug-condition
Crypto conditional debug is turned OFF
IKE debug context unmatched flag: OFF
IPSec debug context unmatched flag: OFF
IKE debug context error flag: OFF
IPSec debug context error flag: OFF
2. show crypto ipsec df-bit Outside
df-bit Outside clear
show crypto ipsec fragmentation Outside
fragmentation Outside before-encryption
show crypto ipsec df-bit Outside
df-bit Outside clear
3. show crypto ipsec fragmentation Outside
fragmentation Outside before-encryption
4. show crypto ipsec sa
interface: Outside
Crypto map tag: DYN_OUTSIDE, seq num: 10000, local addr: x.x.x.x
local ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): (176.46.1.224/255.255.255.255/17/1701)
current_peer: 176.46.1.224, username: DefaultRAGroup
dynamic allocated peer ip: 0.0.0.0
dynamic allocated peer ip(ipv6): 0.0.0.0
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: x.x.x.x/0, remote crypto endpt.: 176.46.1.224/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 6B61B2F8
current inbound spi : 7E7B99A4
inbound esp sas:
spi: 0x7E7B99A4 (2122029476)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Transport, IKEv1, }
slot: 0, conn_id: 155648, crypto-map: DYN_OUTSIDE
sa timing: remaining key lifetime (kB/sec): (237304/3372)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x6B61B2F8 (1801564920)
transform: esp-aes esp-sha-hmac no compression
in use settings ={RA, Transport, IKEv1, }
slot: 0, conn_id: 155648, crypto-map: DYN_OUTSIDE
sa timing: remaining key lifetime (kB/sec): (237304/3372)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
5. show crypto ipsec stats
IPsec Global Statistics
-----------------------
Active tunnels: 1
Previous tunnels: 39
Inbound
Bytes: 15709111
Decompressed bytes: 15709111
Packets: 87278
Dropped packets: 1
Replay failures: 0
Authentications: 87278
Authentication failures: 0
Decryptions: 87278
Decryption failures: 0
TFC Packets: 0
Decapsulated fragments needing reassembly: 0
Valid ICMP Errors rcvd: 0
Invalid ICMP Errors rcvd: 0
Outbound
Bytes: 84694753
Uncompressed bytes: 84694753
Packets: 136591
Dropped packets: 2
Authentications: 136589
Authentication failures: 0
Encryptions: 136589
Encryption failures: 0
TFC Packets: 0
Fragmentation successes: 0
Pre-fragmentation successses: 0
Post-fragmentation successes: 0
Fragmentation failures: 0
Pre-fragmentation failures: 0
Post-fragmentation failures: 0
Fragments created: 0
PMTUs sent: 0
PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 1
System capacity failures: 0
6. show crypto isakmp stats
Global IKEv1 Statistics
Active Tunnels: 1
Previous Tunnels: 39
In Octets: 133688
In Packets: 537
In Drop Packets: 171
In Notifys: 65
In P2 Exchanges: 44
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 24
Out Octets: 63020
Out Packets: 386
Out Drop Packets: 0
Out Notifys: 73
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 19
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 46
System Capacity Fails: 0
Auth Fails: 9
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 37
IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 50
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 2
In-Negotiation SAs Rejected: 0
Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 252
Cookie Challenge Threshold: Never
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
7. show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 176.46.1.224
Type : user Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
8. show crypto isakmp stats
Global IKEv1 Statistics
Active Tunnels: 1
Previous Tunnels: 39
In Octets: 133688
In Packets: 537
In Drop Packets: 171
In Notifys: 65
In P2 Exchanges: 44
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 24
Out Octets: 63020
Out Packets: 386
Out Drop Packets: 0
Out Notifys: 73
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 19
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 46
System Capacity Fails: 0
Auth Fails: 9
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 37
IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 50
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 2
In-Negotiation SAs Rejected: 0
Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 252
Cookie Challenge Threshold: Never
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
9. show crypto protocol statistics all
[IKEv1 statistics]
Encrypt packet requests: 149
Encapsulate packet requests: 149
Decrypt packet requests: 210
Decapsulate packet requests: 210
HMAC calculation requests: 932
SA creation requests: 39
SA rekey requests: 18
SA deletion requests: 102
Next phase key allocation requests: 88
Random number generation requests: 0
Failed requests: 0
[IKEv2 statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[IPsec statistics]
Encrypt packet requests: 136589
Encapsulate packet requests: 136589
Decrypt packet requests: 87278
Decapsulate packet requests: 87278
HMAC calculation requests: 223867
SA creation requests: 78
SA rekey requests: 10
SA deletion requests: 86
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[SSL statistics]
Encrypt packet requests: 1580864
Encapsulate packet requests: 1580864
Decrypt packet requests: 286
Decapsulate packet requests: 286
HMAC calculation requests: 1581150
SA creation requests: 246
SA rekey requests: 0
SA deletion requests: 244
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[SSH statistics are not supported]
[SRTP statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 0
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 0
Failed requests: 0
[Other statistics]
Encrypt packet requests: 0
Encapsulate packet requests: 0
Decrypt packet requests: 0
Decapsulate packet requests: 0
HMAC calculation requests: 35115
SA creation requests: 0
SA rekey requests: 0
SA deletion requests: 0
Next phase key allocation requests: 0
Random number generation requests: 345
Failed requests: 9
Also I'd like to thank you for helping me and replying so quickly.
02-06-2014 06:54 AM
1.
The outbound spi matches the one that's not encrypting anything. The inbound spi matches the one that *is* decrypting.
I could see that ASA - VPN Traffic is not being encrypted
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
hence Issue seems to be that traffic is sent out from the ASA unencrypted.
This can be caused by a duplicate (stale) ASP crypto table entry, this prevents the ASA encrypting any traffic destined for the remote host.
There are 2 commands which shows this behaviour. They are,
show ipsec stat | grep Missing SA failures
show asp table classify crypto
Possible solution could be to this issue, is to Hard Reboot the firewall.
Hence plan a reboot during off business hours to reduce any downtime.
Additional References
CSCsh48962 - Duplicate ASP table entry causes FW to encrypt traffic with invalid SPI.
CSCso50996 - ASA dropping the packet instead of encrypting it.
2.
I could found in the following ouput
Missing SA failures: 1
5. show crypto ipsec stats
IPsec Global Statistics
-----------------------
Active tunnels: 1
Previous tunnels: 39
Inbound
Bytes: 15709111
Decompressed bytes: 15709111
Packets: 87278
Dropped packets: 1
Replay failures: 0
Authentications: 87278
Authentication failures: 0
Decryptions: 87278
Decryption failures: 0
TFC Packets: 0
Decapsulated fragments needing reassembly: 0
Valid ICMP Errors rcvd: 0
Invalid ICMP Errors rcvd: 0
Outbound
Bytes: 84694753
Uncompressed bytes: 84694753
Packets: 136591
Dropped packets: 2
Authentications: 136589
Authentication failures: 0
Encryptions: 136589
Encryption failures: 0
TFC Packets: 0
Fragmentation successes: 0
Pre-fragmentation successses: 0
Post-fragmentation successes: 0
Fragmentation failures: 0
Pre-fragmentation failures: 0
Post-fragmentation failures: 0
Fragments created: 0
PMTUs sent: 0
PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 1
System capacity failures: 0
As per the output of 'show crypto ipsec stat' command I am "missing SA failures" countis 1 check if it increments or not.
Also try a 'show asp drop" counter "Tunnel being brought up or torn down" counts are incrementing.
If the counts are incrementing, you have one of the bugs.
A workaround is to hard power down the firewall and power it back up.
Hopefully it should work.
Best Regards
Sachin Garg
02-06-2014 07:03 AM
Hi,
By saying hard power down you mean just discconnecting power cable from firewall? Or just regular reload?
I'll give a try reboot and look at these references also.
Thank you very much for help at the moment
02-06-2014 07:23 AM
I installed Windows 8 on that Windows 7 test client and from there, it works. Also packets are being encrypted and decrypted, but those other Windows 7 devices are unable to connect.
I continiue further testing.
For the record I have not jet rebooted the Cisco ASA.
02-06-2014 07:42 AM
By Hard rebbot I mean Power OFF and ON on the box physically , of course similar to taking the power plug out and plug in back , but I think Power Button OFF and ON will be sufficient. NO need to pull the cable and so on. !!
02-07-2014 12:37 AM
Hi Sachin,
I tried hard reboot, but unfortunatly, this did not change anything. I will look into these two bugs and see if I found any help from there.
Best Regards,
Madis.
02-26-2014 05:35 AM
Hi,
1- Is TCP state bypass really required?
1.1 - If so, why do you have "match any"?
2- Would you mind putting a packet-capture and settings the logs to debugging whilst testing the connection?
3- Also, run a packet-tracer from inside - outside and share the results.
HTH.
Message was edited by: Javier Portuguez Please disregard, the issue has been solved already. :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide