Deny tcp (no connection) by evry request over the tunnel

r.schoettler · ‎03-22-2011

Hello,

I am a newbe and have a problem with a ipsec-tunnel. The Tunnel works, but every request over the tunnel ends with following log entry:

Deny tcp (noconnection) from 192.168.158.11 to 192.168.20.23 RTS/ACK Flag

I found nothing what could help me.

It is in the moment a test-enviroment.

I hope somebody could help me.

Thanks,

Ruediger

My Configuration:

: Saved

:

ASA Version 8.3(2)

!

hostname sitCisco

domain-name cisco.sit-pay.invalid

enable password z6/uZEap66NwHNcd encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.20.250 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 85.182.131.123 255.255.255.248

!

interface Vlan5

nameif dmz

security-level 50

ip address 192.168.50.250 255.255.255.0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa832-k8.bin

boot config disk0:/startup-config.cfg

ftp mode passive

dns server-group DefaultDNS

domain-name cisco.sit-pay.invalid

object network NETWORK_OBJ_192.168.158.0_24

subnet 192.168.158.0 255.255.255.0

object network NETWORK_OBJ_192.168.20.0_24

subnet 192.168.20.0 255.255.255.0

object-group network obj_any

access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.158.0 255.255.255.0 log debugging

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu dmz 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-634.bin

no asdm history enable

arp timeout 14400

nat (inside,outside) source static NETWORK_OBJ_192.168.20.0_24 NETWORK_OBJ_192.168.20.0_24 destination static NETWORK_OBJ_192.168.158.0_24 NETWORK_OBJ_192.168.158.0_24

nat (inside,outside) source dynamic any interface

route outside 0.0.0.0 0.0.0.0 85.182.131.121 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.1.0 255.255.255.0 inside

http 192.168.20.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer 193.16.190.81

crypto map outside_map 1 set transform-set ESP-AES-256-SHA

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!

dhcpd dns 213.191.74.12 interface inside

!

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

tunnel-group 193.16.190.81 type ipsec-l2l

tunnel-group 193.16.190.81 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:97c1605e61711a639e5f1d93746f6f7a

: end

Jennifer Halim · ‎03-22-2011

That is pretty normal and nothing to be worried about.

When the ASA sees the TCP RST packet, it resets the connection within its connection table straight away, and when the end host responded with the RST-ACK, since ASA has already cleared down the tunnel, you will see the deny TCP as it no longer has the connection.

This is not because of the VPN, this is actually the clear text packet after decryption, and as advised earlier, it is normal.

r.schoettler · ‎03-22-2011

Thank for the answer.

But my problem is, that the communication doesn't work. I only see this message in the log and the request doesn't receive my client.

Is there any other problem, when I see only this message in the log.

best regards

ruediger

Jennifer Halim · ‎03-22-2011

Ah OK, I thought it works fine but you are seeing those connection.

OK, are you able to change the following statement:

nat (inside,outside) source dynamic any interface

To:

object network obj-192.168.20.0

subnet 192.168.20.0 255.255.255.0

nat (inside,outside) dynamic interface

Then "clear xlate" after the change.

r.schoettler · ‎03-23-2011

I had change the statement, but nothing changed. The is the message in the log. When I use the packet tracer, it's end with the message: ipsec-sproof, all other entries, like access-list, nat ... are ok.

It is possible that my response doesn't go back over the tunnel and take another way?

Jennifer Halim · ‎03-23-2011

Can you please share the output of:

show cry isa sa

show cry ipsec sa

Would like to see where it fails.

r.schoettler · ‎03-23-2011

Here are the results of the two cmmands.

thanks for your help.

Result of the command: "show cry isa sa"

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 193.16.190.81
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Result of the command: "show cry ipsec sa"

interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 85.182.131.123

      access-list outside_1_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.158.0 255.255.255.0 log debugging
      local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.158.0/255.255.255.0/0/0)
      current_peer: 193.16.190.81

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 486, #pkts decrypt: 486, #pkts verify: 486
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 85.182.131.123/0, remote crypto endpt.: 193.16.190.81/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 6ED9BBFE
      current inbound spi : 6DAB4D44

    inbound esp sas:
      spi: 0x6DAB4D44 (1839942980)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 5, }
         slot: 0, conn_id: 139264, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 19079
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x6ED9BBFE (1859763198)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 5, }
         slot: 0, conn_id: 139264, crypto-map: outside_map
         sa timing: remaining key lifetime (sec): 19079
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Jennifer Halim · ‎03-23-2011

Seems like the inside host is not responding at all, hence you only see decrypts but no encrypt packet.

Please add the following:

management-access inside

policy-map global_policy

class inspection_default

inspect icmp

And test to see if you can ping 192.168.20.250.

Check if the host that you are actually trying to access is allowing inbound access from other subnets. Disable the personal firewall if there is any, and also make sure that the default gateway is configured to be 192.168.20.250.

r.schoettler · ‎03-23-2011

The inside_host could ping the 192.168.20.250. There is no personal firewall activ on the host.

I have check the network setting of the host, he allowed incoming request from other subnets (255.255.0.0) and the default gateway is set correct.

I have tried to reconfigere my inside network, so that it also used the subnetmask 255.255.0.0, but nothing changed.

It's look like that the request doesn't sent from outside to inside.

Jennifer Halim · ‎03-23-2011

What I mean is can you ping across the VPN by trying to ping the ASA inside interface. This is to ensure that it's not a VPN issue.

From 192.168.158.11, please try to ping 192.168.20.250 to see if it works. You can also issue: show cryp ipsec sa, and check if both the encrypts and decrypts packets increase as you ping.

And no, you should not change the mask to 255.255.0.0 as that is incorrect. Your ASA inside interface is 192.168.20.250 with 255.255.255.0 as the mask. What is your inside host ip address and mask that you are trying to access?

Please also try to save the ASA configuration and reload it to see if it makes any difference.

r.schoettler · ‎03-24-2011

The change of the Sbnetmask was only a desperate attempt.

The problem is, that the remote network can't ping and it is not easy make change on this site.

But we have found a routing problem on there side. He has only send the RST-Packets and not the SYN-Packet. This problem is now fix and I see the build inbound tcp connection in the log. The connection will closed by timeout.

6

Mar 24 2011

10:57:20

192.168.158.10

63667

192.168.20.23

8583

Teardown TCP connection 18059 for outside:192.168.158.10/63667 to inside:192.168.20.23/8583 duration 0:00:30 bytes 0 SYN Timeout

In the moment the tunnel is only one-way, there is no traffic through the tunnel form my host. The default gateway is set correctly to the 192.168.20.250 and the subnetmask is 255.255.0.0.

Jennifer Halim · ‎03-24-2011

Yes, you are right. It's one way only at the moment, and the SYN timeout clearly states that. You are not getting SYN-ACK back from the other side.

r.schoettler · ‎03-24-2011

Have you an idea why the response doesn' go in the tunnel?

I see the request hat the host and he send the ACK to the Gateway but then the response is lost.