Re: Cisco ASA IPSec tunnel is up but traffic not passing

jf1134 · ‎10-22-2019

Hi

I've got a Site-to-Site VPN between a Sophos XG Firewall and a Cisco ASA. The tunnel shows to be up at both sides but unable to pass traffic. I ran a packet capture on the Sophos and it shows pings going out but on the ASA it doesn't look like the packets get there.

(any) to (any) source static any any destination static A-172.16.0.0 A-172.16.0.0 no-proxy-arp
translate_hits = 270405, untranslate_hits = 299696

0.0.0.0 0.0.0.0 [1/0] via 22.22.22.22, outside

172.16.128.0 255.255.128.0 is directly connected, inside

access-list acl_inside line 2 extended permit ip any object A-172.16.0.0

access-list outside_cryptomap_1 line 1 extended permit ip 172.16.128.0 255.255.128.0 object A-172.16.0.0

access-list outside_cryptomap_1 line 1 extended permit ip 172.16.128.0 255.255.128.0 172.16.0.0 255.255.128.0

Result of the command: "sh cryp ipsec sa"

interface: outside
Crypto map tag: outside_map, seq num: 2, local addr: 11.11.11.11

access-list outside_cryptomap_1 extended permit ip 172.16.128.0 255.255.128.0 172.16.0.0 255.255.128.0
local ident (addr/mask/prot/port): (172.16.128.0/255.255.128.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.128.0/0/0)
current_peer: 22.22.22.22

#pkts encaps: 46, #pkts encrypt: 46, #pkts digest: 46
#pkts decaps: 24516, #pkts decrypt: 24516, #pkts verify: 24516
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 46, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 22.22.22.22/500, remote crypto endpt.: 11.11.11.11/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CFB56118
current inbound spi : 17688FB3

inbound esp sas:
spi: 0x17688FB3 (392728499)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 270336, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4192929/26935)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xCFB56118 (3484770584)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 270336, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4055039/26935)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

IKEv2 SAs:

Session-id:48, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
824857483 50.242.252.131/500 11.11.11.11/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/43702 sec
Child sa: local selector 172.16.128.0/0 - 172.16.255.255/65535
remote selector 172.16.0.0/0 - 172.16.127.255/65535
ESP spi in/out: 0x17688fb3/0xcfb56118

Rahul Govindan · ‎10-22-2019

Looks like the ASA is decrypting traffic but not encrypting much:

access-list outside_cryptomap_1 extended permit ip 172.16.128.0 255.255.128.0 172.16.0.0 255.255.128.0
local ident (addr/mask/prot/port): (172.16.128.0/255.255.128.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.128.0/0/0)
current_peer: 22.22.22.22


#pkts encaps: 46, #pkts encrypt: 46, #pkts digest: 46
#pkts decaps: 24516, #pkts decrypt: 24516, #pkts verify: 24516

Add the "route-lookup" keyword to the end of your NAT exempt statement.

jf1134 · ‎10-22-2019

Thanks I added this but it still doesn't seem to be working

(any) to (outside) source static any any destination static Austin-172.16.0.0 Austin-172.16.0.0 no-proxy-arp route-lookup

jf1134 · ‎11-01-2019

I was able to find the problem.. There was a router setup at that site that I didn't know about with a route pointing to an IP on a network that didn't exist anymore. Once I changed the routes to point to the ASA, the VPN started working..