Solved: Ipsec tunnel s2s is UP but no route

NicolasBou · ‎01-18-2018

Hello All,

I set up a tunnel IPSEC s2s between one ASA 5510 and a RV320.

The s2s is connected on both end but its not possible to ping a server on the otherside.

The tunnel was working good for two todays but now, even after a re-creation, still not working.

I created the exact same tunnel from an ASA 5510 (in a different location) with the same RV320 and the tunnel is working well.

From the first ASA5510 i checked the packet flow with packet-tracer tool and all is good (route ok, nat-exempt ok...)

On RV320 route and Nat rules are created but no ping....

i'm stuck here and im running out of idea to investigate....

nay help will be appreciate,

Thanks upfront

N.B

NicolasBou · ‎01-25-2018

the only way to solve the problem was to delete vpn confguration in both endpoint; restart the RV320 and recreate the tunnel.

Now, all is good.

View solution in original post

Bogdan Nita · ‎01-18-2018

Hi Nicolas,

The tunnel is coming up and packets are being sent from the ASA to the RV, but no packets are being returned.

This usually indicates a routing or nat problem on the RV.

The tunnel with the other ASA is working so I would focus if there is a difference on the RV between the working tunnel and the non-working tunnel, more specific on the routing and nat.

HTH

Bogdan

NicolasBou · ‎01-18-2018

Hello Bogdan,

Thanks for your answer, i appreciate.

I already compare both configuration and they are exactly the same.

i checked log on RV320 all sound good as well

VPN Log   | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
VPN Log   [g2gips0] #381: [Tunnel Established] ISAKMP SA established
VPN Log   [g2gips0]: cmd=up-client peer=159.xx.xx.102 peer_client=172.xx.xx.0/24 peer_client_net=172.xx.xx.0 peer_client_mask=255.255.255.0
VPN Log   ip route add 172.xx.xx.0/24 via 193.253.160.3 dev ppp1 metric 35
VPN Log   iptables -t nat -I vpn -s 192.xx.xx.0/24 -d 172.xx.xx.0/24 -j ACCEPT
VPN Log   iptables -t nat -I vpn -s 172.xx.xx.0/24 -d 192.xx.xx.0/24 -j ACCEPT
VPN Log   iptables -t nat -I vpn_postrouting -s 192.xx.xx.0/24 -d 172.xx.xx.0/24 -j ACCEPT
VPN Log   iptables -t nat -I vpn_postrouting -o eth0 -s 172.xx.xx.0/24 -d 192.xx.xx.0/24 -j ACCEPT
VPN Log   [g2gips0] #382: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0x05bf8295 < 0xcefe1a98}

i just activated the traversal nat and the tunnel worked for 5 minutes and.....stop working....

Bogdan Nita · ‎01-18-2018

I can't see how nat-t comes into play in your situation, Phase 2 should not come up if you have a nat between the peers and nat-t disabled.

Do you have a log why the vpn tunnel broke down ?

Who is initiating the vpn tunnel ? Did you try to initiate from the other side as well?

I am not sure if you can, but it would be interesting to see vpn packets hit-count on the RV.

NicolasBou · ‎01-18-2018

I dont have any log why the tunnel broke because is up on both side.

i initiated the connection from RV320 and ASA, each time the tunnel is UP but no traffic...

I dont have a lot of options on RV320 i can see the whole paket traffic for a port but i can't specified those from the VPN.

NicolasBou · ‎01-25-2018

the only way to solve the problem was to delete vpn confguration in both endpoint; restart the RV320 and recreate the tunnel.

Now, all is good.