Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1662
Views
0
Helpful
10
Replies

Cisco ASA Site-to-Site VPN fail

Clocktwister
Level 1
Level 1

‎08-21-2020 02:58 AM

Hi All, 

I am trying to set up a VPN connection to our remote office. 

 

All of the config looks like it should work OK, but when testing it doesn't connect. I have ran a packet-tracker to troubleshoot, If I send from a generic 10.0.0.0 it seems to work, as it passes through the Phases. However, If I use a real IP address it gets stuck on Phase 2 with a error " (acl-drop) Flow is denied by configured rule". 

 

Anyone has any suggestions on how to fix this?

 

Thanks!

R

 

 

------------------------------NOT WORKING------------------------

ASA# packet-tracer input lan1(inside) tcp 10.***.3.50 http 10.***.1.4 http

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN4(outside),LAN1(inside)) source static any any
Additional Information:
NAT divert to egress interface LAN4(outside)
Untranslate 10.***.1.4/80 to 10.***.1.4/80

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: LAN1(inside)
input-status: up
input-line-status: up
output-interface: LAN4(outside)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

--------------------LOOKS OK -------------------------------------

 

ASA# packet-tracer input lan1(inside) tcp 10.0.0.0 http 10.***.1.4 http

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN4(outside),LAN1(inside)) source static any any
Additional Information:
NAT divert to egress interface LAN4(outside)
Untranslate 10.***.1.4/80 to 10.***.1.4/80

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group LAN1(inside)_access_in_1 in interface LAN1(inside)
access-list LAN1(inside)_access_in_1 extended permit ip any4 object Lincoln_Subnet
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN4(outside),LAN1(inside)) source static any any
Additional Information:
Static translate 10.0.0.0/80 to 10.0.0.0/80

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN4(outside),LAN1(inside)) source static any any
Additional Information:

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1173, packet dispatched to next module

Result:
input-interface: LAN1(inside)
input-status: up
input-line-status: up
output-interface: LAN4(outside)
output-status: up
output-line-status: up
Action: allow


ASA# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 1.234.56.78
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2

There are no IKEv2 SAs

 

Labels:
0 Helpful
10 Replies 10

Rob Ingram
VIP
VIP

‎08-21-2020 10:33 AM

Hi,
Do you have a NAT exemption rule to ensure this VPN traffic is not unintentially NATTED?
Can you provide your configuration and the output of "show nat detail" please
0 Helpful

Clocktwister
Level 1
Level 1
In response to Rob Ingram

‎08-24-2020 06:22 AM

Hi Rob, 

Thanks for the reply! I have send you the configs in a private message, or would you prefer it on here?

Regards, 

Raf

0 Helpful

Rob Ingram
VIP
VIP
In response to Clocktwister

‎08-24-2020 06:47 AM

I've read your PM. The ASA above has nat configured, no reason why "show nat detail" won't work. Your other ASA does not have NAT configured, so that's unlikely to be where the issue lies.

Which ASA did you run packet-tracer on?
These IP addresses from your output above (10.***.3.50 and 10.***.1.4), look to be your internal IP addresses of the ASAs (though I obviously cannot be sure). However your packet-tracer output confirms NAT is configured which is only configured on the ASA called "lin-asa", but's internal IP address is 10.***.1.4 so your packet-tracer was incorrect - the src/dst would need to be swapped.

Regardless test connectivity by sending traffic through the ASA's NOT to/from the ASA's internal/inside interfaces - ping a pc, printer on the other end.
0 Helpful

Clocktwister
Level 1
Level 1
In response to Rob Ingram

‎08-24-2020 07:14 AM

I have ran the packet tracer on 3.50, and those 2 IP addresses are our internal ones. What do you think my next steps/commands should be in fixing this issue?

 

It's a bit of an awkward setup, as 3.50 ASA is trying to replace an old (but still live) Draytec Firewall due to poor VoiP quality. I can't really change 1.4 ASA's config so it still works with the Draytec if 3.50 test fails, so we have to adapt 3.50 config to work with 1.3. Do you think it could be an issue that 1.3 ASA refuses connection to 3.50 as it has a different signature/MAC to the Draytec it's normally connected to? Thanks :)

0 Helpful

Rob Ingram
VIP
VIP
In response to Clocktwister

‎08-24-2020 07:23 AM

What I am saying is you've run an incorrect packet-tracer

ASA# packet-tracer input lan1(inside) tcp 10.***.3.50 http 10.***.1.4 http

The output of that above packet trace confirms that NAT took place, NAT is only configured on "lin-asa" - that ASA's internal interface is 10.***.1.4, you've specified the source as 10.***.3.50. Re-run the correct packet-tracer and also generate real traffic to send through the VPN to a device that isn't the ASA, a pc or printer or something.
0 Helpful

Clocktwister
Level 1
Level 1
In response to Rob Ingram

‎08-28-2020 03:39 AM

Hi Rob, 

 

I have ran the below command on both of the ASA's with switched sources, the results are below with lin-asa running tracer twice, once when connected to working Draytec and another when connected to the Cisco ASA replacement.

 

----------------10.***.3.50 ASA connected to 10.***.1.4 (Lin-asa)-------------------


NOXASA# packet-tracer input lan4(outside) tcp 10.***.1.4 http 10.***.3.50 http

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.***.3.50 255.255.255.255 identity

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.***.3.50 255.255.255.255 identity

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.***.3.50 255.255.255.255 identity

Phase: 5
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.***.3.50 255.255.255.255 identity

Result:
input-interface: LAN4(outside)
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

NOXASA# packet-tracer input lan1(inside) tcp 10.***.1.4 http 10.***.3.50 http

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.***.3.50 255.255.255.255 identity

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: LAN1(inside)
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

 

NOXASA# packet-tracer input lan1(inside) tcp 10.***.1.4 http 10.***.3.50 http

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.***.3.50 255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: LAN1(inside)
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

-------------10.***.1.4 ASA (lin-ASA) Connected to working Draytec---------------------

 

lincoln-asa# packet-tracer input outside tcp 10.***.1.4 http 10.***.3.50 http

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 5.517.96.57 using egress ifc outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in remark IP Into NOX
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 10.0.0.0 255.0.0.0 object NOX_10.***.3.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match access-list SFR
policy-map global_policy
class SFR
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 44178975, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

 

-----------10.***.1.4 (lin-ASA) ASA Connected to NEW ASA (Drayrec Replacement)--------------

 

lincoln-asa# packet-tracer input outside tcp 10.***.1.4 http 10.***.3.50 http

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 5.517.96.57 using egress ifc outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in remark IP Into NOX
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 10.0.0.0 255.0.0.0 object NOX_10.***.3.0
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object udp
protocol-object tcp
Additional Information:

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match access-list SFR
policy-map global_policy
class SFR
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Clocktwister

‎08-28-2020 04:13 AM - edited ‎08-28-2020 04:14 AM

You've not taken my advice and used other devices to ping rather than the ASA's interfaces....this isn't allowed by design. The only exception to that is if you have the command management-access <interface> you can manage an ASA on an interface
other than the interface the traffic came in on, from a VPN only. I don't believe you have that command configured. Regardless troubleshooting should be performed by generating traffic "through" the ASA rather than "to" the ASA.

 

NOXASA# packet-tracer input lan4(outside) tcp 10.***.1.4 http 10.***.3.50 http

Ran that command above and this output may work

 

NOXASA# packet-tracer input lan1(inside) tcp 10.***.1.4 http 10.***.3.50 http

10.***.1.4 is not on the inside of NOXASA is it? NOXASA inside interface is 10.174.3.50 and lincoln internal interface is 10.174.1.4,  so I assume that is the IP addresses you've hidden? In which case you need to swap them around (as mentioned previously).

 

lincoln-asa# packet-tracer input outside tcp 10.***.1.4 http 10.***.3.50 http

Correct source interface? input-interface and output-interface are both "outside".

0 Helpful

Clocktwister
Level 1
Level 1
In response to Rob Ingram

‎08-28-2020 05:07 AM

Sorry, I’ve never used this command before!

Could you send me the exact command I should try on NOX asa and Lincoln asa
when I connect them please? As I thought I did swap them around.

Thanks

Rafal
0 Helpful

Clocktwister
Level 1
Level 1
In response to Rob Ingram

‎09-02-2020 02:35 AM

The IP addresses of the "outside" interfaces on both ASA's are the public IP addresses. So would a correct command to run on NOXASA be something like that?

NOX-asa# packet-tracer input outside tcp NOXpublicIP(from IP) http LincolnpublicIP(toIP) http

 

0 Helpful

Clocktwister
Level 1
Level 1
In response to Rob Ingram

‎09-02-2020 04:40 AM

I have done a few packet tracers today to try to find the issue, do any of them point at a potential issue?

 

NOXASA# packet-tracer input lan4(outside) tcp 10.174.3.50 http 10.174.1.4 http

Result:
input-interface: LAN4(outside)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

 

 

NOXASA# packet-tracer input lan4(outside) tcp 10.174.1.4 http 10.174.3.50 http

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.174.3.50 255.255.255.255 identity

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.174.3.50 255.255.255.255 identity

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.174.3.50 255.255.255.255 identity

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.174.3.50 255.255.255.255 identity

Result:
input-interface: LAN4(outside)
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

 

 

NOXASA# packet-tracer input lan4(outside) tcp 10.174.3.50 http 10.174.1.4 http

Result:
input-interface: LAN4(outside)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

 

 

NOXASA# packet-tracer input lan1(inside) tcp 10.174.3.50 http 10.174.1.4 http

Result:
input-interface: LAN1(inside)
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

 

 

NOXASA# packet-tracer input lan1(inside) tcp 10.174.1.4 http 10.174.3.50 http

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.174.3.50 255.255.255.255 identity

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: LAN1(inside)
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful
Customers Also Viewed These Support Documents