Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1008
Views
5
Helpful
7
Replies

Cisco ASA: AnyConnect and site-to site ipsec tunnel to the same peer

Ernestas Sabukevicius
Level 1
Level 1

‎06-15-2021 08:13 AM

I have an issue with establishing a site-to-site VPN tunnel and i guess it is because i'm connecting with Anyconnect from the same peer. Is there any workaround other than using a different public IP (which i dont have) ? I wonder if i setup ikev2 for this particular peer may it be a solution ?

Labels:
7 Replies 7

Rob Ingram
VIP
VIP

‎06-15-2021 08:21 AM

@Ernestas Sabukevicius if you use SSL/TLS for AnyConnect Remote Access VPN and IKEv2/IPSec for Site-to-Site VPN there would be no conflict.

0 Helpful

Ernestas Sabukevicius
Level 1
Level 1
In response to Rob Ingram

‎06-15-2021 08:33 AM

I use AnyConnect client (not Web site connection thru) and for the site-to-site i use ikev1 currently. The issue is that i get "decaps", but no "encaps" packets whatever i do.

0 Helpful

Rob Ingram
VIP
VIP
In response to Ernestas Sabukevicius

‎06-15-2021 08:38 AM

NAT or routing issue?

0 Helpful

Ernestas Sabukevicius
Level 1
Level 1
In response to Rob Ingram

‎06-15-2021 08:44 AM

See below: the IPsec site-to-site is established. When i check with packet-trace it routes traffic to WebVPN (i guess because i've connected with anyconenct from the same peer) instead of IPsec site-to-site tunnel (Phase 10).

 

 

peer address: xxx
Crypto map tag: OUTSIDE-MAP, seq num: 260, local addr: xxx

access-list TEST extended permit ip 10.55.25.0 255.255.255.0 host 192.168.10.30
local ident (addr/mask/prot/port): (10.55.25.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.30/255.255.255.255/0/0)
current_peer: xxx


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 71, #pkts decrypt: 71, #pkts verify: 71



packet-tracer input inside icmp 10.55.25.45 8 0 10.57.2.5

 

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

 

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.10.30 using egress ifc outside

 

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (any,inside) source static obj-192.168.10.30 obj-10.57.2.5 destination static obj-10.0.0.0 obj-10.0.0.0
Additional Information:
NAT divert to egress interface outside
Untranslate 10.57.2.5/0 to 192.168.10.30/0

 

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE in interface inside
access-list INSIDE extended permit ip any4 any4
Additional Information:

 

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (any,inside) source static obj-192.168.10.30 obj-10.57.2.5 destination static obj-10.0.0.0 obj-10.0.0.0
Additional Information:
Static translate 10.55.25.45/0 to 10.55.25.45/0

 

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

 

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

 

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

 

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

 

Phase: 10
Type: WEBVPN-SVC
Subtype: out
Result: ALLOW
Config:
Additional Information:

 

Phase: 11
Type: ACCESS-LIST
Subtype: filter-aaa
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop

0 Helpful

Rob Ingram
VIP
VIP
In response to Ernestas Sabukevicius

‎06-15-2021 08:51 AM

Phase: 11
Type: ACCESS-LIST
Subtype: filter-aaa
Result: DROP

 

Do you have a mis-configured VPN Filter applied?

0 Helpful

Ernestas Sabukevicius
Level 1
Level 1
In response to Rob Ingram

‎06-15-2021 09:00 AM

I dont have any filter on the IPSec site-to-site tunnel:

 

tunnel-group xxx type ipsec-l2l
tunnel-group xxx ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 10

 

And for the site-to-site tunnel it should route traffic thru the following phases:

 

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW

 

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW

 

So i suspect that AnyConnect session interfere with IPsec tunnel as both of them are comming from the same peer.

0 Helpful

Ernestas Sabukevicius
Level 1
Level 1
In response to Ernestas Sabukevicius

‎06-15-2021 09:08 AM

show vpn-sessiondb detail l2l | b xxx


Connection : xxx
Index : 29091 IP Addr : xxx
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 0 Bytes Rx : 188496
Login Time : 11:27:50 EDT Tue Jun 15 2021
Duration : 0h:38m:20s

 

IKEv1 Tunnels: 1
IPsec Tunnels: 1

 

IKEv1:
Tunnel ID : 29091.1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 28800 Seconds Rekey Left(T): 26500 Seconds
D/H Group : 2
Filter Name :

 

IPsec:
Tunnel ID : 29091.2
Local Addr : 10.55.25.0/255.255.255.0/0/0
Remote Addr : 192.168.10.30/255.255.255.255/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel PFS Group : 2
Rekey Int (T): 3600 Seconds Rekey Left(T): 1300 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607816 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 0 Bytes Rx : 188496
Pkts Tx : 0 Pkts Rx : 2244

0 Helpful
Customers Also Viewed These Support Documents