Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1684
Views
0
Helpful
17
Replies

Ipsec Client VPN established, but no access to internal network

roesch4alc
Level 1
Level 1

‎08-29-2016 07:29 AM - edited ‎02-21-2020 08:57 PM

Hi,

I have a problem with a ipsec client vpn. The vpn connection itself is successful, but afterwards no connection to the internal network is possible. I simply try to access the assigned dns server, but no success. There is no filter in place, we have sysopt connection permit-vpn active. The routes are added to the clients routing table correctly. On the client I see encrypted packets, but no decrypted packets. On the firewall, issuing the command: sh "crypto ipsec sa peer 1.2.3.4" show no encrypted or decrypted packets.

The only interesting thing I can see in the log is:

7 Aug 29 2016 16:24:41 713222 Group = bla, Username = bla, IP = 1.2.3.4, Static Crypto Map check, map = internet_map, seq = 21, ACL does not match proxy IDs src:10.20.20.3 dst:0.0.0.0

What could be the problem? In the moment I have really no idea... Could this problem source from NAT rules?

Thanks,

Best Regards

Sebastian

Labels:
Preview file
70 KB
0 Helpful
17 Replies 17

roesch4alc
Level 1
Level 1
In response to Francesco Molino

‎08-31-2016 07:23 AM

Ok,

here it is. Many of the identity nat are not necessary probably. They are from a asa 8.0.5 to 9.1.7 migration and Im currently reviewing them...

BR

Sebastian

Preview file
9 KB
0 Helpful

roesch4alc
Level 1
Level 1
In response to JP Miranda Z

‎08-31-2016 02:32 AM

Hi,

some additional information...

1.) I saw, that proxy arp is enabled on all the interfaces on this firewall.

I became aware of this, because I was wondering about an unusual behaviour from a client from the internal network 172.18.x.x. When I made a tracerroute or a pathping I didn´t see any hops, the packets are traveling.... It looks like, the destination is directly connected... 

Could Proxy, enabled on the interfaces, cause problems in relation to this phenomenon?

2.) Then a second point, today I again issued a "sh cry ipsec sa peer 1.2.3.4 det"

With the det attached, I can see a littel more accurate output:

  #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 8, #pkts invalid sa (rcv): 0

What does this mean? #pkts no sa (send): 8 

3.) When Im trying to telnet with a random port from a internal pc (located in customer network 172.18.x.x) to my pc´s remote dialing address in 10.20.20.x I see no connection at all in asdm....

I really don´t get it!

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni

‎08-29-2016 09:49 AM

Hi

It seems to be a NAT issue. The sysopt feature you configured is to bypass ACL, group-policy,... but you still need a no nat configuration.

On latest version, the config looks like as JP Miranda Z said on his latest answer.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents