IPSec site to site VPN issue on ASA 5510

Mr Manish Kumar Jain · ‎12-03-2010

Hi,

I am Pushpendra Network Engineer from CRIS New Delhi india. I have created site to site IPSec VPN and I observerd that both phases (Phase-1 & 2) are being completed but not traffic is being flow over the tunnel. Error messages are given below-

3|Dec 02 2010|11:39:43|106014|172.25.66.10||203.176.112.33||Deny inbound icmp src VPN:172.25.66.10 dst VPN:203.176.112.33 (type 8, code 0)
3|Dec 02 2010|11:39:37|106014|172.25.66.10||203.176.112.33||Deny inbound icmp src VPN:172.25.66.10 dst VPN:203.176.112.33 (type 8, code 0)
3|Dec 02 2010|11:39:32|106014|172.25.66.10||203.176.112.33||Deny inbound icmp src VPN:172.25.66.10 dst VPN:203.176.112.33 (type 8, code 0)
3|Dec 02 2010|11:39:26|106014|172.25.66.10||203.176.112.33||Deny inbound icmp src VPN:172.25.66.10 dst VPN:203.176.112.33 (type 8, code 0)
6|Dec 02 2010|11:39:24|302013|172.20.55.15|1874|203.176.112.33|3200|Built inbound TCP connection 397350 for VPN:172.20.55.15/1874 (172.20.55.15/1874) to VPN:203.176.112.33/3200 (203.176.112.33/3200)
6|Dec 02 2010|11:39:17|302014|172.28.27.50|3643|203.176.112.33|3300|Teardown TCP connection 397264 for VPN:172.28.27.50/3643 to VPN:203.176.112.33/3300 duration 0:02:45 bytes 93395 TCP FINs
3|Dec 02 2010|11:39:15|106014|172.25.66.10||203.176.112.33||Deny inbound icmp src VPN:172.25.66.10 dst VPN:203.176.112.33 (type 8, code 0)
3|Dec 02 2010|11:39:10|106014|172.25.66.10||203.176.112.33||Deny inbound icmp src VPN:172.25.66.10 dst VPN:203.176.112.33 (type 8, code 0)
3|Dec 02 2010|11:39:04|106014|172.25.66.10||203.176.112.33||Deny inbound icmp src VPN:172.25.66.10 dst VPN:203.176.112.33 (type 8, code 0)
6|Dec 02 2010|11:39:01|106015|203.176.112.33|3300|172.28.27.50|3005|Deny TCP (no connection) from 203.176.112.33/3300 to 172.28.27.50/3005 flags PSH ACK on interface VPN
3|Dec 02 2010|11:38:59|106014|172.25.66.10||203.176.112.33||Deny inbound icmp src VPN:172.25.66.10 dst VPN:203.176.112.33 (type 8, code 0)
3|Dec 02 2010|11:38:54|106014|172.25.66.10||203.176.112.33||Deny inbound icmp src VPN:172.25.66.10 dst VPN:203.176.112.33 (type 8, code 0)
5|Dec 02 2010|11:38:54|713201|||||Group = 203.199.54.243, IP = 203.199.54.243, Duplicate Phase 2 packet detected. Retransmitting last packet.
5|Dec 02 2010|11:38:54|713201|||||Group = 203.199.54.243, IP = 203.199.54.243, Duplicate Phase 2 packet detected. Retransmitting last packet.
5|Dec 02 2010|11:38:54|713120|||||Group = 203.199.54.243, IP = 203.199.54.243, PHASE 2 COMPLETED (msgid=5c1b382b)
6|Dec 02 2010|11:38:54|602303|||||IPSEC: An inbound LAN-to-LAN SA (SPI= 0x93B2EC80) between 203.176.112.6 and 203.199.54.243 (user= 203.199.54.243) has been created.
5|Dec 02 2010|11:38:54|713049|||||Group = 203.199.54.243, IP = 203.199.54.243, Security negotiation complete for LAN-to-LAN Group (203.199.54.243) Responder, Inbound SPI = 0x93b2ec80, Outbound SPI = 0x6ebe677b
6|Dec 02 2010|11:38:54|602303|||||IPSEC: An outbound LAN-to-LAN SA (SPI= 0x6EBE677B) between 203.176.112.6 and 203.199.54.243 (user= 203.199.54.243) has been created.
3|Dec 02 2010|11:38:54|713122|||||IP = 203.199.54.243, Keep-alives configured on but peer does not support keep-alives (type = None)
5|Dec 02 2010|11:38:54|713119|||||Group = 203.199.54.243, IP = 203.199.54.243, PHASE 1 COMPLETED
6|Dec 02 2010|11:38:54|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 203.199.54.243
6|Dec 02 2010|11:38:54|302015|203.199.54.243|500|203.176.112.6|500|Built inbound UDP connection 397314 for VPN:203.199.54.243/500 (203.199.54.243/500) to identity:203.176.112.6/500 (203.176.112.6/500)

ASA configuration is also given below

ASA Version 8.2(1)
!
hostname CRISFW
names
name 172.29.65.0 LnT-MAS description LnT-MAS
name 172.17.173.0 LnT-VASHI description LnT-VASHI
name 10.64.10.0 TeleMGMT description 10.64.10.0
!
interface Ethernet0/0
no nameif
no security-level
no ip address
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif VPN
security-level 0
ip address 203.176.112.6 255.255.255.192 standby 203.176.112.7
!
interface Ethernet0/3
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
clock timezone IST 5 30
dns domain-lookup VPN
dns domain-lookup management
same-security-traffic permit intra-interface
object-group service test
description test
service-object tcp eq ftp
service-object tcp eq ftp-data
service-object tcp eq www
service-object tcp eq https
service-object tcp eq smtp
service-object tcp eq sqlnet
service-object tcp eq ssh
service-object tcp eq telnet
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
access-list 101 extended permit ip 203.176.112.16 255.255.255.240 10.136.235.64 255.255.255.224
access-list 101 extended permit ip 203.176.112.16 255.255.255.240 10.152.117.16 255.255.255.240
access-list 101 extended permit ip 203.176.112.16 255.255.255.240 10.118.204.112 255.255.255.240
access-list 101 extended permit ip 203.176.112.16 255.255.255.240 10.66.164.160 255.255.255.240
access-list Acl_cris extended permit ip any 203.176.112.0 255.255.255.192
access-list 102 extended permit ip 203.176.112.32 255.255.255.248 172.20.55.0 255.255.255.0
access-list 103 extended permit ip 203.176.112.32 255.255.255.248 172.28.27.32 255.255.255.224
access-list 104 extended permit ip 203.176.112.32 255.255.255.248 172.25.66.0 255.255.255.0
access-list management_nat0_outbound extended permit ip any 203.123.123.0 255.255.255.240
access-list management_nat0_outbound extended permit ip any 192.168.22.0 255.255.255.224
access-list 110 extended permit ip any any
access-list 105 extended permit ip 203.176.112.32 255.255.255.248 LnT-MAS 255.255.255.0
access-list 106 extended permit ip 203.176.112.32 255.255.255.248 LnT-VASHI 255.255.255.0
access-list VPN_access_in extended permit ip any 203.176.112.32 255.255.255.248
pager lines 24
logging enable
logging asdm informational
logging host VPN 172.16.4.243
logging permit-hostdown
mtu VPN 1500
mtu management 1500
ip local pool test 203.123.123.1-203.123.123.10 mask 255.255.255.0
ip local pool IPSecVPN 192.168.22.10-192.168.22.30 mask 255.255.255.0
failover
failover lan unit primary
failover lan interface failoverport Ethernet0/3
failover link failoverport Ethernet0/3
failover interface ip failoverport 10.1.1.1 255.255.255.0 standby 10.1.1.2
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (management) 0 access-list management_nat0_outbound
access-group VPN_access_in in interface VPN
route VPN 0.0.0.0 0.0.0.0 203.176.112.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 203.0.0.0 255.0.0.0 VPN
http 172.16.4.243 255.255.255.255 VPN
http 172.16.4.249 255.255.255.255 VPN
http TeleMGMT 255.255.255.0 VPN
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set CRISSET esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set FMMSET esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map FMMMAP 1 match address 104
crypto map FMMMAP 1 set peer 203.199.54.243
crypto map FMMMAP 1 set transform-set FMMSET
crypto map FMMMAP 20 match address 102
crypto map FMMMAP 20 set peer 202.54.41.59
crypto map FMMMAP 20 set transform-set FMMSET
crypto map FMMMAP 30 match address 103
crypto map FMMMAP 30 set peer 61.95.164.170
crypto map FMMMAP 30 set transform-set FMMSET
crypto map FMMMAP 40 match address 101
crypto map FMMMAP 40 set peer 122.98.54.80
crypto map FMMMAP 40 set transform-set CRISSET
crypto map FMMMAP 50 match address 105
crypto map FMMMAP 50 set peer 202.54.134.241
crypto map FMMMAP 50 set transform-set FMMSET
crypto map FMMMAP 60 match address 106
crypto map FMMMAP 60 set peer 203.199.118.251
crypto map FMMMAP 60 set transform-set FMMSET
crypto map FMMMAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map FMMMAP interface VPN
crypto map management_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map management_map interface management
crypto isakmp enable VPN
crypto isakmp enable management
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 10.64.10.88 255.255.255.255 VPN
telnet 192.168.1.15 255.255.255.255 management
telnet timeout 5
ssh 172.16.4.243 255.255.255.255 VPN
ssh 172.16.4.249 255.255.255.255 VPN
ssh TeleMGMT 255.255.255.0 VPN
ssh timeout 5
console timeout 0
management-access VPN
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
port 10443
enable VPN
dtls port 10444
port-forward list1 telnet 192.168.1.1 telnet mgt port ip
internal-password enable
group-policy test internal
group-policy test attributes
vpn-tunnel-protocol IPSec
group-policy DfltGrpPolicy attributes
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
username cris password 6R5LoXC6rX/SbtgE encrypted
username pragya password Nz3P8VRaRWVH2rhi encrypted privilege 15
username user5 password Iuf94xq.eIobpWIj encrypted privilege 15
username user4 password iCO1esaWA4hW04A5 encrypted privilege 15
username user7 password V1W1NNWs7vjG2kFn encrypted privilege 15
username user6 password L4o55tMFd06gve3t encrypted privilege 15
username user1 password ALLIXd+9jMgWAtb8c0DrCw== nt-encrypted privilege 15
username user10 password iGvKiQr8P2zjB.n3 encrypted privilege 15
username user3 password cmIVqIrgboX9/Nz/ encrypted privilege 15
username user2 password G1SInyx0A0./Dx3t encrypted privilege 15
username user9 password gCsgc4orB3qK7UmB encrypted privilege 15
username user8 password s2mP4kUIl61CkdiG encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted
username icms password h7/yfer7P7pkINdJ encrypted privilege 0
username icms attributes
vpn-group-policy test
tunnel-group VPNCONNECTIONPROFILE type remote-access
tunnel-group 122.98.54.80 type ipsec-l2l
tunnel-group 122.98.54.80 ipsec-attributes
pre-shared-key *
tunnel-group 202.54.41.59 type ipsec-l2l
tunnel-group 202.54.41.59 ipsec-attributes
pre-shared-key *
tunnel-group 61.95.164.170 type ipsec-l2l
tunnel-group 61.95.164.170 ipsec-attributes
pre-shared-key *
tunnel-group test type remote-access
tunnel-group test general-attributes
address-pool test
default-group-policy test
tunnel-group test ipsec-attributes
pre-shared-key *
tunnel-group 203.199.54.243 type ipsec-l2l
tunnel-group 203.199.54.243 ipsec-attributes
pre-shared-key *
tunnel-group 202.54.134.241 type ipsec-l2l
tunnel-group 202.54.134.241 ipsec-attributes
pre-shared-key *
tunnel-group 203.199.118.251 type ipsec-l2l
tunnel-group 203.199.118.251 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a36a8197e6d20b5660c2eb25e2c59ba3

Detail of tunnel that is not working is given below-

Local Peer-203.176.112.6 Remote peer- 203.199.54.243

Local Network 203.176.112.32/29 Remote network 172.25.66.0/24

Federico Coto Fajardo · ‎12-03-2010

Hi,

The other tunnels are working fine?

I don't see a NAT0 ACL for this traffic that you specify.

Federico.

Mr Manish Kumar Jain · ‎12-05-2010

no NAT0 ACL is for other sites also.

U can see extended ACL 101, 102 and 103 which are working fine. The

why is 104 not working??

rahgovin · ‎12-06-2010

Who has the 203.176.112.33 ip address? It does not seem to be there anywhere in the ASA config. Is it something ahead of the ASA?

Mr Manish Kumar Jain · ‎12-06-2010

203.176.112.33 is the IP address of local server placed at ahead of ASA.

rahgovin · ‎12-07-2010

Do the other vpn tunnels which work fine also access the same server?

Mr Manish Kumar Jain · ‎12-07-2010

Hi,

Other tunnels are working fine and accessing the same server. I found two bugs CSCtb53186 & CSCtd36473 which creates problem of "Traffic not being encrypted". I have reloaded ASA and now all tunnels are working fine. Thanx.