11-14-2023 08:40 AM
So the weirdest thing ever for me.
I have done this many times before and never had an issue.
I am connectiong to peer 1.2.3.4 and their remote networks are 192.168.0.0/24 and 10.0.246.0/24
I have my nat excluded and the tunnel comes up. If BOTH remote networks are enabled I can ping 192.168.0.0/24 but not 10.0.246.33 on that side. However, if I remove the 192.168.0.0/24 for remote networks I can ping 10.0.246 no problem.
While both are connected here is what packet tracer shows
Ciscoasa# packet-tracer in inside icmp 10.107.0.3 0 8 10.0.246.33 detail
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f5ef4175430, priority=1, domain=permit, deny=false
hits=39044578, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 71.46.229.97 using egress ifc outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static OCICMTAALL OCICMTAALL destination static CMTALVILLEA CMTALVILLEA no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.0.246.33/0 to 10.0.246.33/0
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f5ef43f1e60, priority=13, domain=permit, deny=false
hits=829750, user_data=0x7f5ee8240b40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static OCICMTAALL OCICMTAALL destination static CMTALVILLEA CMTALVILLEA no-proxy-arp route-lookup
Additional Information:
Static translate 10.107.0.3/0 to 10.107.0.3/0
Forward Flow based lookup yields rule:
in id=0x7f5ef5218ec0, priority=6, domain=nat, deny=false
hits=1190, user_data=0x7f5ef520de60, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.107.0.0, mask=255.255.192.0, port=0, tag=any
dst ip/id=10.0.246.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f5ef2bf0790, priority=0, domain=nat-per-session, deny=true
hits=1640604, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f5ef417d790, priority=0, domain=inspect-ip-options, deny=true
hits=1117666, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description Internet
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f5ef50b51b0, priority=70, domain=inspect-icmp, deny=false
hits=63017, user_data=0x7f5ef50b4cd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f5ef417cfa0, priority=66, domain=inspect-icmp-error, deny=false
hits=63017, user_data=0x7f5ef417cc30, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f5ef37a9190, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=1508343, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 11
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f5ef520c8f0, priority=70, domain=encrypt, deny=false
hits=1190, user_data=0x0, cs_id=0x7f5ef5176be0, reverse, flags=0x0, protocol=0
src ip/id=10.107.0.0, mask=255.255.192.0, port=0, tag=any
dst ip/id=10.0.246.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
My Nat -
nat (inside,outside) source static OCICMTAALL OCICMTAALL destination static CMTALVILLEA CMTALVILLEA no-proxy-arp route-lookup
crypto map OCIMAP 1 match address outside_cryptomap_1
crypto map OCIMAP 1 set peer 1.2.3.4
crypto map OCIMAP 1 set ikev2 ipsec-proposal IPSEC-PROPOSAL
crypto map OCIMAP 1 set nat-t-disable
crypto map contains both networks of 192.168.0.0/24 and 10.0.246.0/24
my network is 10.107.0.0/18
11-14-2023 08:50 AM
Show asp table vpn
Share output
11-14-2023 08:54 AM
that command does not appear to be in my firewall ASA5545
However sh asp table vpn-context is
sh asp table vpn-context
VPN CTX=0x0273466C, Ptr=0xF5172FF0, DECR+ESP, UP, pk=0000000021, rk=0000000000, gc=0
VPN CTX=0x027326AC, Ptr=0xF5220D40, ENCR+ESP, UP, pk=0000000000, rk=0000000000, gc=0
VPN CTX=0x02731254, Ptr=0xF7A84DC0, DECR+ESP, UP, pk=0000008609, rk=0000000000, gc=603
VPN CTX=0x0272F134, Ptr=0xF6997AD0, ENCR+ESP, UP, pk=0000017778, rk=0000000000, gc=602
VPN CTX=0x01590B94, Ptr=0xF432A9C0, DECR+ESP, UP, pk=0000319631, rk=0000000000, gc=190
VPN CTX=0x0158E774, Ptr=0xF60DC710, ENCR+ESP, UP, pk=0000375390, rk=0000000000, gc=189
VPN CTX=0x002ED27C, Ptr=0xF3C393E0, DECR+ESP, UP, pk=0000000107, rk=0000000000, gc=1
VPN CTX=0x002EB8FC, Ptr=0xF58DF3B0, ENCR+ESP, UP, pk=0000000153, rk=0000000000, gc=1
VPN CTX=0x002E9BE4, Ptr=0xF37B49A0, DECR+ESP, UP, pk=0000000156, rk=0000000000, gc=1
VPN CTX=0x002E6704, Ptr=0xF4BCC660, ENCR+ESP, UP, pk=0000000107, rk=0000000000, gc=1
VPN CTX=0x001ACCFC, Ptr=0xF4807CF0, DECR+ESP, UP, pk=0000513803, rk=0000000000, gc=252
VPN CTX=0x001AAD7C, Ptr=0xF5223320, ENCR+ESP, UP, pk=0000734302, rk=0000000000, gc=253
VPN CTX=0x00198984, Ptr=0xF4BCD620, DECR+ESP, UP, pk=0000000000, rk=0000000000, gc=0
VPN CTX=0x00196724, Ptr=0xF64E5E50, ENCR+ESP, UP, pk=0000000177, rk=0000000000, gc=0
VPN CTX=0x00191394, Ptr=0xF4A30240, DECR+ESP, UP, pk=0000000129, rk=0000000000, gc=0
VPN CTX=0x0018EF74, Ptr=0xF60C0400, ENCR+ESP, UP, pk=0000000000, rk=0000000000, gc=0
VPN CTX=0x0018C13C, Ptr=0xF5216EF0, DECR+ESP, UP, pk=0000869677, rk=0000000000, gc=130
VPN CTX=0x0018AABC, Ptr=0xF51794D0, ENCR+ESP, UP, pk=0001164899, rk=0000000000, gc=129
VPN CTX=0x000A8464, Ptr=0xF5EE8BF0, DECR+ESP, UP, pk=0000000751, rk=0000000002, gc=0
VPN CTX=0x000A6184, Ptr=0xF5217080, ENCR+ESP, UP, pk=0000000796, rk=0000000002, gc=0
VPN CTX=0x000806B4, Ptr=0xF56E8060, DECR+ESP, UP, pk=0000174523, rk=0000000002, gc=12
VPN CTX=0x0007FB14, Ptr=0xF521A760, ENCR+ESP, UP, pk=0000170037, rk=0000000002, gc=11
VPN CTX=0x000753EC, Ptr=0xF5187D80, DECR+ESP, UP, pk=0001034832, rk=0000000002, gc=76
VPN CTX=0x00073A2C, Ptr=0xF5218060, ENCR+ESP, UP, pk=0001282912, rk=0000000002, gc=75
VPN CTX=0x000703D4, Ptr=0xF5200940, DECR+ESP, UP, pk=0000030443, rk=0000000002, gc=6
VPN CTX=0x0006F8B4, Ptr=0xF52372F0, ENCR+ESP, UP, pk=0000018834, rk=0000000002, gc=5
VPN CTX=0x000688E4, Ptr=0xF5184C20, DECR+ESP, UP, pk=0000800238, rk=0000000002, gc=112
VPN CTX=0x00066804, Ptr=0xF5EF07A0, ENCR+ESP, UP, pk=0000753036, rk=0000000002, gc=111
I do have multiple tunnels setup on this already
11-14-2023 08:58 AM
sh asp table vpn-context detail
Check how many SPI you have for this peer
It must be two only.
11-14-2023 09:12 AM
From cisco doc.
""The ASA does not support IKEv2 multiple security associations (SAs). The ASA currently accepts inbound IPsec traffic only on the first SA that is found. If IPsec traffic is received on any other SA, it is dropped with reason vpn-overlap-conflict
.""
Change it to ikev1 and I think it will work.
11-14-2023 09:15 AM
Oh wow, its so strange because i used to have it setup working fine with other sites using multiple subnets like 192.168.9.0/24 and 192.168.0.0/24 for remote networks.
11-14-2023 09:37 AM
IKEv2 and multi remote LAN (multi SA) per Peer not work.
try change to IKEv1 and check
MHM
11-14-2023 01:01 PM
You can have have multiple traffic selectors (src/dst subnets/networks) in the crypto ACL that defines the interesting traffic when using IKEv2.
Please provide some debug information of when it does not work.
11-14-2023 01:39 PM
Both say it work and I say not
Then sure I must check again
Ok
Do twice time packet-tracer detail and share here.
11-14-2023 01:05 PM
I do have multiple Crypto ACLs for the different tunnels. However, here is my debug when I try to ping 10.0.246.33 from 10.107.0.3
debug crypto ipsec yeilds this.
Ciscoasa(config)# Rule Lookup for local 10.107.0.0 to remote 10.0.246.0
PROXY MATCH on crypto map OCIMAP seq 1
Rule Lookup for local 10.107.0.0 to remote 10.0.246.0
PROXY MATCH on crypto map OCIMAP seq 1
Rule Lookup for local 10.107.0.0 to remote 192.168.0.0
PROXY MATCH on crypto map OCIMAP seq 1
Rule Lookup for local 10.107.0.0 to remote 192.168.0.0
11-15-2023 02:55 AM
clear crypto ipsec sa inactive <<- use this command and check again hope it solve your issue, it can the SPI max limit is reach and you need to clear inactive SPI to make ASA accpet new one.
if not work I need to see packet-tracer detial
MHM
11-18-2023 10:01 PM
Please attempt to verify if PFS is set up on the other end of the tunnel. PFS mismatch is one potential reason for this type of behaviour.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide