cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2534
Views
4
Helpful
36
Replies

IPSec VPN Tunnel Lan-to-Lan decrypt count zero

El Rondo
Level 1
Level 1

Hi, 

I have one issue with IPSec tunnel Lan-to-Lan between ASA 5525x (v9.8) and ASA FPR 2110 (v9.16). My Tunnel is up but ping between each client was not successful. Both peer status sh cry isakmp sa in "MM_ACTIVE".
I ran packet-tracer icmp between peer and result shows ALLOW for every phase 1 and 2. Debug command sh cry ipsec sa shows packets encrypt is non zero but decrypt is zero for both peer.

Spoiler
#pkts encaps: 80, #pkts encrypt: 80, #pkts digest: 80
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

I suspected NAT was the issue and until now I haven't found the root cause. Hopefully someone who had the solution could help me to fix the issue.

36 Replies 36

Yes I would start with the HQ site but you can start with the PT site if you want. My plan is to go step by step and trying to locate where the issue is before we go through a broad troubleshooting.

you firewall configuration are solid. I think the issue is with the routing. In your provided output

#pkts encaps: 80, #pkts encrypt: 80, #pkts digest: 80
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

The firewall is able to encap and sent the traffic to other end. however, this same firewall is not able to received any traffic from the other firewall this is why your decaps are showing zero.

you need to define a static route to fix the issue.

please do not forget to rate.

Static route were already in the config

SITE HQ

route WAN 0.0.0.0 0.0.0.0 10.152.25.33 2
route LAN 172.16.4.0 255.255.255.0 172.16.100.51 1
route WAN 172.31.0.0 255.255.0.0 10.152.25.33 1

SITE PT

route WAN 0.0.0.0 0.0.0.0 10.151.21.1 2
route WAN 10.151.25.0 255.255.255.0 10.151.21.1 1
route WAN 172.16.0.0 255.255.0.0 10.151.21.1 1
route LAN 172.31.0.0 255.255.224.0 172.31.100.1 1
route LAN 172.31.1.0 255.255.255.0 172.31.100.1 1

Interesting that you see zero decaps on both firewalls. Could you please try to set some packet capture on PT firewall on the outside interface including the VPN decrypted traffic similar to the following, and then initiate some traffic from a client in subnet 172.16.4.0/24 in the HQ site?

capture VPN interface WAN include-decrypted match icmp any any

This will show us if PT firewall receives the VPN traffic and decrypts it from the HQ. If so, the PT firewall should show some decaps on the IPsec SA between the 172.16.4.0 and 172.31.1.0 subnets.

If the above is not successful, then I would try to remove the route maps under the LAN interfaces on both firewalls and change the AD value on the static default routes from 2 to 1 and see if that makes any difference.

 

I tried to remove route maps in fw from
route WAN 0.0.0.0 0.0.0.0 10.152.25.33 2
route LAN 172.16.4.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.1.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.2.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.3.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.4.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.5.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.6.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.7.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.8.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.9.0 255.255.255.0 172.16.100.51 1
route WAN 172.31.1.0 255.255.255.0 10.152.25.33 1

to change AD value from 2 to 1

route WAN 0.0.0.0 0.0.0.0 10.152.25.33 1

but it gives me ERROR: Cannot add route entry, conflict with existing routes

this is because my default route to outside 0.0.0.0/24 is using another ISP (broadband). FYI I have 2 ISP, ISP1 is integrated ISP (with public ip) and ISP2 is high speed broadband ISP (no public ip). To cater both multiple ISP1 and ISP2, I have to use PBR for the selected subnet to use the desire ISP. Thats why I cannot change the AD value from 2 to 1 for this case.

I draw this topolgy to clear the trouble point 
please share the output in order I list in my draw

thanks for waiting 

MHM

Screenshot (321).png

HQ (trouble 1)
show crypto ipsec sa

interface: WAN
Crypto map tag: PT-VPN-TUNNEL, seq num: 5, local addr: 10.152.25.34

access-list IPSecVPN extended permit ip 172.16.4.0 255.255.255.0 172.31.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.31.1.0/255.255.255.0/0/0)
current_peer: 10.151.21.3


#pkts encaps: 59, #pkts encrypt: 59, #pkts digest: 59
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 59, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 10.152.25.34/0, remote crypto endpt.: 10.151.21.3/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: CA362193
current inbound spi : 27BFB74F

inbound esp sas:
spi: 0x27BFB74F (666875727)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 104255488, crypto-map: PT-VPN-TUNNEL
sa timing: remaining key lifetime (kB/sec): (4374000/2992)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xCA362193 (3392545171)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 104255488, crypto-map: PT-VPN-TUNNEL
sa timing: remaining key lifetime (kB/sec): (4373997/2992)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001


PT (trouble 2)
show crypto ipsec sa

interface: WAN
Crypto map tag: HQ-VPN-TUNNEL, seq num: 5, local addr: 10.151.21.3

access-list IPSecVPN extended permit ip 172.31.1.0 255.255.255.0 172.16.4.0 255.255.255.0
local ident (addr/mask/prot/port): (172.31.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.4.0/255.255.255.0/0/0)
current_peer: 10.152.25.34

#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 10.151.21.3/0, remote crypto endpt.: 10.152.25.34/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 27BFB74F
current inbound spi : CA362193

inbound esp sas:
spi: 0xCA362193 (3392545171)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 688, crypto-map: HQ-VPN-TUNNEL
sa timing: remaining key lifetime (kB/sec): (3915000/2513)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x27BFB74F (666875727)
SA State: active
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 688, crypto-map: HQ-VPN-TUNNEL
sa timing: remaining key lifetime (kB/sec): (3914999/2513)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

HQ (trouble 3)


# capture CAPIN interface LAN match ip 172.16.4.0 255.255.255.0 172.31.1.0 255.255.0

# capture CAPOUT_WAN interface WAN match ip 172.16.4.0 255.255.255.0 172.31.1.0 255.255.255.0

# capture CAPOUT_UNIFI interface UNIFI match ip 172.16.4.0 255.255.0 172.31.1.0 255.255.255.0

# show cap

capture CAPIN type raw-data interface LAN [Capturing - 4454 bytes]

  match ip 172.16.4.0 255.255.255.0 172.31.1.0 255.255.255.0

capture CAPOUT_WAN type raw-data interface WAN [Capturing - 0 bytes]

  match ip 172.16.4.0 255.255.255.0 172.31.1.0 255.255.255.0

capture CAPOUT_UNIFI type raw-data interface UNIFI [Capturing - 0 bytes]

  match ip 172.16.4.0 255.255.255.0 172.31.1.0 255.255.255.0

 

PT (trouble 4)

# capture CAPIN interface LAN match ip 172.31.1.0 255.255.255.0 172.16.4.0.255.255.255.0

# capture CAPOUT_WAN interface WAN match ip 172.31.1.0 255.255.255.0 172.16.4.0 255.255.255.0

# capture CAPOUT_UNIFI interface UNIFI match ip 172.31.1.0 255.255.255.0 172.16.4.0 255.255.255.0

# sh capture

capture CAPIN type raw-data interface LAN [Capturing - 990 bytes]

  match ip 172.31.1.0 255.255.255.0 172.16.4.0 255.255.255.0

capture CAPOUT_WAN type raw-data interface WAN [Capturing - 0 bytes]

  match ip 172.31.1.0 255.255.255.0 172.16.4.0 255.255.255.0

capture CAPOUT_UNIFI type raw-data interface UNIFI [Capturing - 0 bytes]

  match ip 172.31.1.0 255.255.255.0 172.16.4.0 255.255.255.0

 *** All test being ping continuously from HQ subnet to PT subnet and vice versa.

El Rondo
Level 1
Level 1

Here I also run packet tracer from both site HQ and PT to assist of some point that might helps.

** HQ **

# packet-tracer input LAN icmp 172.16.4.16 8 0 172.31.1.3

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static PT_SERVER PT_SERVER

Additional Information:

NAT divert to egress interface WAN

Untranslate 172.31.1.3/0 to 172.31.1.3/0

 

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE_ACCESS_IN in interface LAN

access-list INSIDE_ACCESS_IN extended permit object-group IP_Allow object-group ALL_INSIDE_LAN any log

object-group protocol IP_Allow

protocol-object ip

protocol-object pim

protocol-object gre

protocol-object esp

protocol-object ah

protocol-object ospf

protocol-object nos

object-group network ALL_INSIDE_LAN

description: # All vlan from inside interface

network-object object LEVEL_G

network-object object LEVEL_2

network-object object LEVEL_3

network-object object LEVEL_4

network-object object LEVEL_5

network-object object LEVEL_6

network-object object WIFI

network-object host 172.17.9.1

network-object object SERVER

network-object object WIFI_B

Additional Information:

 

Phase: 4      

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

match any

policy-map global_policy

class class-default

  set connection decrement-ttl

service-policy global_policy global

Additional Information:

 

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static PT_SERVER PT_SERVER

Additional Information:

Static translate 172.16.4.16/0 to 172.16.4.16/0

 

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

              

Phase: 9

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

 

Phase: 10

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

 

Phase: 11

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static PT_SERVER PT_SERVER

Additional Information:

 

Phase: 12

Type: VPN     

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

 

Phase: 13

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 14

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 15

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:       

Additional Information:

New flow created with id 186199012, packet dispatched to next module

 

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: allow

 

 

** PT **

# packet-tracer input LAN icmp 172.31.1.0 8 0 172.16.4.16

 

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static HQ_SERVER HQ_SERVER

Additional Information:

NAT divert to egress interface WAN

Untranslate 172.16.4.16/0 to 172.16.4.16/0

 

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE_ACCESS_IN in interface LAN

access-list INSIDE_ACCESS_IN extended permit object-group IP_Allow object-group ALL_INSIDE_LAN any log

object-group protocol IP_Allow

protocol-object ip

protocol-object pim

protocol-object gre

protocol-object esp

protocol-object ah

protocol-object ospf

protocol-object nos

object-group network ALL_INSIDE_LAN

network-object object WIFI_BENGKEL

network-object object WIFI_JTK

network-object object WIFI_JKE_A

network-object object WIFI_JKE_B

network-object object WIFI_HEP

network-object object WIFI_HOSTEL_LELAKI

network-object object WIFI_HOSTEL_PEREMPUAN

network-object object JTP

network-object object JTM

network-object object HEP

network-object object BENGKEL

network-object object CISCO

network-object object JTK

network-object object JKE_A

network-object object JKE_B

network-object object SERVER

network-object object WIFI_JTP

network-object object WIFI_JTM

network-object object WIFI_DEWAN_A

network-object object WIFI_DEWAN_B

network-object object JTA

network-object object JKP

network-object object WIFI_JTA_JKP

Additional Information:

 

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static HQ_SERVER HQ_SERVER

Additional Information:

Static translate 172.31.1.0/0 to 172.31.1.0/0

 

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

 

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

 

Phase: 9

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

 

Phase: 10

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static HQ_SERVER HQ_SERVER

Additional Information:

 

Phase: 11

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

 

Phase: 12

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 13

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 26111606, packet dispatched to next module

 

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: allow

El Rondo
Level 1
Level 1

From the packet tracer I found that HQ dont have VPN "ipsec-tunnel-flow" which PT have.

Phase: 11

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

which PT have

It not clear to me yet'

But 

You use route toward ISP usign /16 not /24 

route WAN 172.31.0.0 255.255.255.0 10.152.25.33 1

Same must be done in PT.

For IPsec it ok it up and thr SPI is same in both sites' just correct the route and check

MHM

El Rondo
Level 1
Level 1

I have updated the static route as per below

HQ
route WAN 0.0.0.0 0.0.0.0 10.152.25.33 2
route LAN 172.16.4.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.1.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.2.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.3.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.4.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.5.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.6.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.7.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.8.0 255.255.255.0 172.16.100.51 1
route LAN 172.17.9.0 255.255.255.0 172.16.100.51 1
route WAN 172.31.1.0 255.255.255.0 10.152.25.33 1

PT 
route WAN 0.0.0.0 0.0.0.0 10.151.21.1 2
route WAN 172.16.1.0 255.255.255.0 10.151.21.1 1
route LAN 172.31.0.0 255.255.224.0 172.31.100.1 1
route LAN 172.31.1.0 255.255.255.0 172.31.100.1 1

** And I rerun packet tracer 

HQ

# packet-tracer input LAN icmp 172.16.4.16 8 0 172.31.1.3 detailed

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static PT_SERVER PT_SERVER

Additional Information:

NAT divert to egress interface WAN

Untranslate 172.31.1.3/0 to 172.31.1.3/0

 

Phase: 2

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE_ACCESS_IN in interface LAN

access-list INSIDE_ACCESS_IN extended permit object-group IP_Allow object-group ALL_INSIDE_LAN any log

object-group protocol IP_Allow

protocol-object ip

protocol-object pim

protocol-object gre

protocol-object esp

protocol-object ah

protocol-object ospf

protocol-object nos

object-group network ALL_INSIDE_LAN

description: # All vlan from inside interface

network-object object LEVEL_G

network-object object LEVEL_2

network-object object LEVEL_3

network-object object LEVEL_4

network-object object LEVEL_5

network-object object LEVEL_6

network-object object WIFI

network-object host 172.17.9.1

network-object object SERVER

network-object object WIFI_B

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2aaac8f84a30, priority=13, domain=permit, deny=false

hits=5368178, user_data=0x2aaabdbd79c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=LAN, output_ifc=any

 

Phase: 3

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

match any

policy-map global_policy

class class-default

  set connection decrement-ttl

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2aaacf306280, priority=7, domain=conn-set, deny=false

hits=24242097, user_data=0x2aaacf3037c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=LAN, output_ifc=any

 

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static PT_SERVER PT_SERVER

Additional Information:

Static translate 172.16.4.16/0 to 172.16.4.16/0

Forward Flow based lookup yields rule:

in  id=0x7f4f8e3504d0, priority=6, domain=nat, deny=false

hits=11479, user_data=0x7f4f8e34ff50, cs_id=0x0, flags=0x0, protocol=0

src ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any

dst ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

input_ifc=LAN, output_ifc=WAN

 

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2aaac7eb3e40, priority=0, domain=nat-per-session, deny=true

hits=190167865, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=any, output_ifc=any

 

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:       

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2aaac8bc2cb0, priority=0, domain=inspect-ip-options, deny=true

hits=24394434, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=LAN, output_ifc=any

 

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7f4f77213030, priority=70, domain=inspect-icmp, deny=false

hits=355796, user_data=0x7f4f77211310, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

input_ifc=LAN, output_ifc=any

 

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x2aaac8bc24c0, priority=66, domain=inspect-icmp-error, deny=false

hits=728352, user_data=0x2aaac8bc1a30, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

input_ifc=LAN, output_ifc=any

 

Phase: 9

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x7f4f61a8dbd0, priority=70, domain=encrypt, deny=false

hits=290, user_data=0xacee74, cs_id=0x2aaac99988d0, reverse, flags=0x0, protocol=0

src ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any

dst ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

input_ifc=any, output_ifc=WAN

 

Phase: 10

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static PT_SERVER PT_SERVER

Additional Information:

Forward Flow based lookup yields rule:

out id=0x7f4f8e352e90, priority=6, domain=nat-reverse, deny=false

hits=11352, user_data=0x7f4f8e350050, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any

dst ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

input_ifc=LAN, output_ifc=WAN

 

Phase: 11

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:       

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x7f4f61a8d0e0, priority=70, domain=ipsec-tunnel-flow, deny=false

hits=290, user_data=0xad004c, cs_id=0x2aaac99988d0, reverse, flags=0x0, protocol=0

src ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any

dst ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

input_ifc=WAN, output_ifc=any

 

Phase: 12

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x2aaac7eb3e40, priority=0, domain=nat-per-session, deny=true

hits=190167867, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=any, output_ifc=any

 

Phase: 13

Type: IP-OPTIONS

Subtype:      

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x2aaac8b61bc0, priority=0, domain=inspect-ip-options, deny=true

hits=185829553, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

input_ifc=WAN, output_ifc=any

 

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 186331150, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_inspect_icmp

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_ifc_stat

 

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_inspect_icmp

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

 

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: allow

 

PT

# packet-tracer input LAN icmp 172.31.1.3 8 0 172.16.4.16 detailed

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x557285a350, priority=1, domain=permit, deny=false

        hits=1527511922, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=LAN, output_ifc=any

 

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static HQ_SERVER HQ_SERVER

Additional Information:

NAT divert to egress interface WAN

Untranslate 172.16.4.16/0 to 172.16.4.16/0

 

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group INSIDE_ACCESS_IN in interface LAN

access-list INSIDE_ACCESS_IN extended permit object-group IP_Allow object-group ALL_INSIDE_LAN any log

object-group protocol IP_Allow

protocol-object ip

protocol-object pim

protocol-object gre

protocol-object esp

protocol-object ah

protocol-object ospf

protocol-object nos

object-group network ALL_INSIDE_LAN

network-object object WIFI_BENGKEL

network-object object WIFI_JTK

network-object object WIFI_JKE_A

network-object object WIFI_JKE_B

network-object object WIFI_HEP

network-object object WIFI_HOSTEL_LELAKI

network-object object WIFI_HOSTEL_PEREMPUAN

network-object object JTP

network-object object JTM

network-object object HEP

network-object object BENGKEL

network-object object CISCO

network-object object JTK

network-object object JKE_A

network-object object JKE_B

network-object object SERVER

network-object object WIFI_JTP

network-object object WIFI_JTM

network-object object WIFI_DEWAN_A

network-object object WIFI_DEWAN_B

network-object object JTA

network-object object JKP

network-object object WIFI_JTA_JKP

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x5573ccf720, priority=13, domain=permit, deny=false

        hits=70924, user_data=0x556082d200, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=LAN, output_ifc=any

 

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static HQ_SERVER HQ_SERVER

Additional Information:

Static translate 172.31.1.3/0 to 172.31.1.3/0

Forward Flow based lookup yields rule:

in  id=0x55757c8af0, priority=6, domain=nat, deny=false

        hits=3458, user_data=0x55784abc90, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=LAN, output_ifc=WAN

 

Phase: 5

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x556e727770, priority=0, domain=nat-per-session, deny=true

        hits=27324636, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=any, output_ifc=any

 

Phase: 6

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x5572863330, priority=0, domain=inspect-ip-options, deny=true

        hits=32302387, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=LAN, output_ifc=any

 

Phase: 7

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x557518d940, priority=70, domain=inspect-icmp, deny=false

        hits=1034843, user_data=0x557518bb80, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=LAN, output_ifc=any

 

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x5572862b40, priority=66, domain=inspect-icmp-error, deny=false

        hits=1034843, user_data=0x5572862190, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=LAN, output_ifc=any

 

Phase: 9

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x55797339f0, priority=70, domain=encrypt, deny=false

        hits=4, user_data=0x21afc94, cs_id=0x5574abf0f0, reverse, flags=0x0, protocol=0

        src ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=any, output_ifc=WAN

 

Phase: 10

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (LAN,WAN) source static SERVER SERVER destination static HQ_SERVER HQ_SERVER

Additional Information:

Forward Flow based lookup yields rule:

out id=0x55771404a0, priority=6, domain=nat-reverse, deny=false

        hits=3458, user_data=0x5573700210, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=LAN, output_ifc=WAN

 

Phase: 11

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x55766e11d0, priority=70, domain=ipsec-tunnel-flow, deny=false

        hits=4, user_data=0x21b0a34, cs_id=0x5574abf0f0, reverse, flags=0x0, protocol=0

        src ip/id=172.16.4.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=172.31.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=WAN, output_ifc=any

 

Phase: 12

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x556e727770, priority=0, domain=nat-per-session, deny=true

        hits=27324638, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=any, output_ifc=any

 

Phase: 13

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0x5571b4bfe0, priority=0, domain=inspect-ip-options, deny=true

        hits=20156901, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

        input_ifc=WAN, output_ifc=any

 

Phase: 14

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 26266351, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_inspect_icmp

snp_fp_translate

snp_fp_adjacency

snp_fp_encrypt

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

 

Module information for reverse flow ...

snp_fp_inspect_ip_options

snp_fp_ipsec_tunnel_flow

snp_fp_translate

snp_fp_inspect_icmp

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

 

Result:

input-interface: LAN

input-status: up

input-line-status: up

output-interface: WAN

output-status: up

output-line-status: up

Action: allow

 




all is ok now ?

MHM

Still the same after I updated to static route for both site with same subnet mask 172.16.4.0/24 at HQ and 172.31.1.0/24 at PT

sorry for late reply but sometime idea need lab to test, 
anyway 
this simple lab two ASA 
the packet tracer is UP and OK and the encrypt count OK but the decrypt count is Zero 
the issue is 
you run ACL in OUTside of one or both FW
and you not use 
sysopt connection permit-vpn 
for (FPR with FDM or FMC) the option of bypass ACL is not enabled 

MHM

Screenshot (329).pngScreenshot (330).pngScreenshot (331).png

Hi MHM,
based on your suggestion I have put "sysopt connection permit-vpn" on both fw. But nothing change, result still the same, unable to ping. 

I tried to search the command "sysopt connection permit-vpn" on both fw setup but unfortunately there was none of it. Is that normal when you already use the command?