cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2524
Views
0
Helpful
8
Replies

cisco asa ipsec tunnel up but not passing traffic

ericliu9981
Level 1
Level 1

The ipsec vpn tunnel is up, but it is unstable. There are 2 streams of interest. One of the streams of interest (10.200.0.0/16)can be connected. The other (172.19.0.0/16)fails. Sometimes the clear crypto ipsec sa is required to pass through, but after a while, it fails. Know what the reason, device configuration information is as follows

 

ciscoasa# sh running-config
: Saved

:
: Serial Number: JAD2114073G
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname ciscoasa
domain-name XXXXX
enable password .XXXXX
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 101.230.195.116 255.255.255.240
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 10.9.0.2 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
nameif inside2
security-level 100
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone GMT 8
dns server-group DefaultDNS
domain-name owitho.cn
object network remote-beta_172.19.144.0_20
subnet 172.19.0.0 255.255.0.0
object network inside
subnet 0.0.0.0 0.0.0.0
object network local_10.9.0.0_16
subnet 10.9.0.0 255.255.0.0
object network inside2
object network remote-beta_10.10.0.0_16
subnet 10.10.0.0 255.255.0.0
object network sdwan-12346
host 10.9.0.101
object network sdwan-12366
host 10.9.0.101
object network sdwan-12336
host 10.9.0.101
object network sdwan-12406
host 10.9.0.101
object network sdwan-12426
host 10.9.0.101
object network remote-aux_10.200.0.0_16
subnet 10.200.0.0 255.255.0.0
object-group network vpn-remote-beta
network-object object remote-beta_172.19.144.0_20
network-object object remote-aux_10.200.0.0_16
object-group network 8to10
network-object object remote-beta_10.10.0.0_16
object-group network vpn-local-office
network-object object local_10.9.0.0_16
access-list vpn_beta_acl extended permit ip object-group vpn-local-office object-group vpn-remote-beta
access-list nat_to_wan extended permit ip any any
access-list sdwan extended permit udp any any eq 12346
access-list sdwan extended permit udp any any eq 12366
access-list sdwan extended permit udp any any eq 12336
access-list sdwan extended permit udp any any eq 12406
access-list sdwan extended permit udp any any eq 12426
access-list 8to10_beta_acl extended permit ip object local_10.9.0.0_16 object-group 8to10
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside2 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-761.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static local_10.9.0.0_16 local_10.9.0.0_16 destination static 8to10 8to10
nat (inside,outside) source static vpn-local-office vpn-local-office destination static vpn-remote-beta vpn-remote-beta
!
object network inside
nat (inside,outside) dynamic interface
object network sdwan-12346
nat (inside,outside) static interface service udp 12346 12346
object network sdwan-12366
nat (inside,outside) static interface service udp 12366 12366
object network sdwan-12336
nat (inside,outside) static interface service udp 12336 12336
object network sdwan-12406
nat (inside,outside) static interface service udp 12406 12406
access-group sdwan in interface outside
route outside 0.0.0.0 0.0.0.0 101.230.195.113 1
route inside 10.9.1.0 255.255.255.0 10.9.0.1 1
route inside 10.9.3.0 255.255.255.252 10.9.0.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
sysopt connection tcpmss 1350
sysopt connection preserve-vpn-flows
service sw-reset-button
crypto ipsec ikev1 transform-set 10to8 esp-aes-256 esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal toalicloud
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec security-association lifetime seconds 288000
crypto ipsec security-association lifetime kilobytes 46080000
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 10 match address vpn_beta_acl
crypto map outside_map 10 set pfs
crypto map outside_map 10 set peer 101.132.73.155
crypto map outside_map 10 set ikev2 ipsec-proposal toalicloud
crypto map outside_map 10 set security-association lifetime seconds 3600
crypto map outside_map 10 set security-association lifetime kilobytes 2147483647
crypto map outside_map 11 match address 8to10_beta_acl
crypto map outside_map 11 set peer 101.230.195.120
crypto map outside_map 11 set ikev1 transform-set 10to8
crypto map outside_map interface outside
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev2 policy 10
encryption aes-256
integrity md5
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes-256
integrity md5
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 106.14.171.55 255.255.255.255 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 inside2
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dynamic-access-policy-record DfltAccessPolicy
username XXXX password XXXXX encrypted privilege 15
tunnel-group 106.14.199.42 type ipsec-l2l
tunnel-group 106.14.199.42 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold infinite
tunnel-group 101.230.195.120 type ipsec-l2l
tunnel-group 101.230.195.120 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold infinite
tunnel-group 101.132.73.155 type ipsec-l2l
tunnel-group 101.132.73.155 ipsec-attributes
isakmp keepalive threshold infinite
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:30a3840cd3859378e636fa2a44e57aa2
: end
ciscoasa#

 

 

来自 10.200.102.51 的回复: 字节=32 时间=9ms TTL=127
来自 10.200.102.51 的回复: 字节=32 时间=14ms TTL=127
来自 10.200.102.51 的回复: 字节=32 时间=10ms TTL=127
来自 10.200.102.51 的回复: 字节=32 时间=9ms TTL=127

 

 

正在 Ping 172.19.164.169 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。

8 Replies 8

Hi,

When it fails, can you check IPSec SAs on both sides and see if they are up
and running. Also, when it fails can you check packet-trace and see if the
packet should be encrypted

when failed, I tried traceroute. After the packet arrived on the ASA, it did not seem to be encrypted. I did not find any packets on the peer device, but if I use the command “clear crypto ipsec sa”, I feel it all. The stream of interest can communicate, but after a while, it doesn’t work.

Do what asked for and post the results

ciscoasa# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 10, local addr: 101.230.195.116

access-list vpn_beta_acl extended permit ip 10.9.0.0 255.255.0.0 10.200.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.9.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.200.0.0/255.255.0.0/0/0)
current_peer: 101.132.73.155


#pkts encaps: 254, #pkts encrypt: 254, #pkts digest: 254
#pkts decaps: 50554, #pkts decrypt: 50554, #pkts verify: 50554
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 254, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 101.230.195.116/4500, remote crypto endpt.: 101.132.73.155/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C0658710
current inbound spi : A9C50D49

inbound esp sas:
spi: 0xA9C50D49 (2848263497)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv2, }
slot: 0, conn_id: 200704, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (1911255661/3459)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC0658710 (3227879184)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv2, }
slot: 0, conn_id: 200704, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (1889785594/3459)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: outside_map, seq num: 10, local addr: 101.230.195.116

access-list vpn_beta_acl extended permit ip 10.9.0.0 255.255.0.0 172.19.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.9.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (172.19.0.0/255.255.0.0/0/0)
current_peer: 101.132.73.155


#pkts encaps: 55464, #pkts encrypt: 55464, #pkts digest: 55464
#pkts decaps: 12173, #pkts decrypt: 12168, #pkts verify: 12168
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 55464, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 5

local crypto endpt.: 101.230.195.116/4500, remote crypto endpt.: 101.132.73.155/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C5F87943
current inbound spi : 09459B54

inbound esp sas:
spi: 0x09459B54 (155556692)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv2, }
slot: 0, conn_id: 200704, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (1997158701/3433)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC5F87943 (3321395523)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv2, }
slot: 0, conn_id: 200704, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (1846826949/3433)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: outside_map, seq num: 11, local addr: 101.230.195.116

access-list 8to10_beta_acl extended permit ip 10.9.0.0 255.255.0.0 10.10.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.9.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
current_peer: 101.230.195.120


#pkts encaps: 1154, #pkts encrypt: 1154, #pkts digest: 1154
#pkts decaps: 1358, #pkts decrypt: 1358, #pkts verify: 1358
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1154, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 101.230.195.116/0, remote crypto endpt.: 101.230.195.120/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 1AA06D45
current inbound spi : E43B5337

inbound esp sas:
spi: 0xE43B5337 (3829093175)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 212992, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (1749528/3464)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x1AA06D45 (446721349)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 212992, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (1749551/3464)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

ciscoasa#

 

 

C:\Users\Eric.liu>ping 172.19.164.169

正在 Ping 172.19.164.169 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。

172.19.164.169 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失),

 

 

C:\Users\Eric.liu>tracert -d 172.19.164.169

通过最多 30 个跃点跟踪到 172.19.164.169 的路由

1 * * * 请求超时。
2 * * * 请求超时。
3 *

 

 

 

Can you get show cry ips sa from other side while its not working?

I would address this problem in a different way: You are running the very first version of the 9.6 release which is three years old. These versions have shown not to be very stable. 9.6(4)5 is the actual interims-release in that release-train and contains many fixes for bugs and vulnerabilities.

Instead of doing an intensive troubleshooting, I would first patch the ASA and look if the problems disappear automatically.

thank you,
I will try it

The ASA have upgrade version to 9.6(4)5,but the problem still exists,This does not seem to be the reason for the system

ciscoasa# show ve
ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 9.6(4)5