Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3223
Views
0
Helpful
1
Replies

IPSec VPN tunnel works one way, can ping the other direction too

ninterface
Level 1
Level 1

‎08-03-2012 06:55 PM - edited ‎02-21-2020 06:15 PM

Hi Folks,

Ok so I'm going crazy here. I have a IPSec tunnel that is working in one direction.

Below is the router config from the side that can connect to the other  side perfectly. I believe the issue is with this router as while I was  waiting on delivery for the ASA I had an SRP527W sitting in it's place  and had exactly the same problem.

On one side I have a 887VA router and the other an ASA5505.

The network behind the 887VA can access the remote site perfectly, backup services are traversing the link as are web interfaces for applications. In the other direction I can ping hosts but cannot connect. What else is interesting is if from the remote site I attempt to connect to a particular device that performs a port redirect the remote site browser gets so far as being redirected to port 5000 but then hangs.

I am seeing some very generic packet drop debug notices on the 887va on the NAT-ACL access list but I think this is as it should be as it is dropping the tunnel traffic from the NAT'ing.

The config for the router is here, I will post the ASA config when I get to the other site shortly but I am convinced the issues is on this device, all the crypto configurations match.

I have looked at the MTU's on each side, the path MTU on both sides is 1492. The asa does say the media MTU is 1500 but I believe that is the ADSL link so shouldnt matter?

I even went so far as installing CCP and testing the VPN. It says the tunnel is up. It did state a failure:

A ping with data size of this VPN interface MTU size and 'Do  not Fragment' bit set to the other end VPN device is failing. This may  happen if there is a lesser MTU network which drops the 'Do not  fragment' packets.

with recommended action:

1)Contact your ISP/Administrator to resolve this issue.  2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.

I did 2 with no effect.

(Addresses etc have been changed to protect the innocent.)

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname XXXX

!

boot-start-marker

boot-end-marker

!

!

logging buffered 65535

logging console informational

!

no aaa new-model

!

memory-size iomem 10

clock timezone ESTime 10 0

crypto pki token default removal timeout 0

!

!

!

crypto pki certificate chain TP-self-signed-

certificate self-signed 01

      quit

ip source-route

!

!

!

!

!

ip cef

no ip bootp server

ip domain name ninterface.com

ip name-server 192.

ip name-server 192.

ip inspect name CBAC appleqtc

ip inspect name CBAC dns

ip inspect name CBAC esmtp

ip inspect name CBAC http

ip inspect name CBAC https

ip inspect name CBAC ftp

ip inspect name CBAC h323

ip inspect name CBAC isakmp

ip inspect name CBAC l2tp

ip inspect name CBAC icmp

ip inspect name CBAC imap

ip inspect name CBAC imaps

ip inspect name CBAC ftps

ip inspect name CBAC ntp

ip inspect name CBAC sip

ip inspect name CBAC sip-tls

ip inspect name CBAC ssh

ip inspect name CBAC tcp

ip inspect name CBAC udp

login block-for 300 attempts 4 within 60

login delay 7

login quiet-mode access-class OutMan

login on-failure log

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISC

!

!

archive

log config

  hidekeys

username UNAME SECRET PASS

!

!

!

!

controller VDSL 0

operating mode adsl2 annex A

!

ip ssh version 2

!

!

crypto isakmp policy 5

encr 3des

authentication pre-share

lifetime 28800

!

crypto isakmp policy 10

authentication pre-share

lifetime 28800

crypto isakmp key ISAKMPKEY address 14.14.14.14

!

!

crypto ipsec transform-set TRANSF esp-3des esp-sha-hmac

!

crypto map CRYMAP 101 ipsec-isakmp

set peer 14.14.14.14

set transform-set TRANSF

match address 101

reverse-route

!

!

!

!

!

interface Loopback0

no ip address

!

interface Ethernet0

no ip address

shutdown

no fair-queue

!

interface ATM0

description --- Internode ADSL ----

no ip address

no ip route-cache

load-interval 30

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

no ip route-cache

pvc 8/35

  tx-ring-limit 3

  encapsulation aal5snap

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Vlan1

description Management Interface

ip address 10.0.1.5 255.255.255.0

ip mtu 1452

ip nat inside

ip virtual-reassembly in

no ip route-cache cef

ip tcp adjust-mss 1420

!

interface Dialer0

no ip address

no cdp enable

!

interface Dialer1

description -----INTERNODE ADSL------

mtu 1492

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp chap hostname cabotage@internode.on.net

ppp chap password 7 05531F5A331F1C1E08

ppp ipcp dns request accept

no cdp enable

crypto map CRYMAP

!

router rip

version 2

redistribute static

network 10.0.1..0

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

!

ip dns server

ip nat inside source static tcp 10.0.1..222 3389 interface Dialer1 19770

ip nat inside source static tcp 10.0.1..69 22 interface Dialer1 19771

ip nat inside source static tcp 10.0.1..69 5000 interface Dialer1 5000

ip nat inside source static tcp 10.0.1..114 3389 interface Dialer1 31313

ip nat inside source static tcp 10.0.1..110 3389 interface Dialer1 19450

ip nat inside source list NAT-ACL interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 172.0.60.0 255.255.255.0 14.14.14.14

!

ip access-list standard OutMan

permit any

ip access-list standard acINAT

ip access-list standard aclQueitMode

permit 0.0.0.0 255.255.225.255

ip access-list standard aclQuietMode

permit 10.0.1.0 0.0.0.255

!

ip access-list extended NAT-ACL

deny   ip 10.0.1.0 0.0.0.255 172.0.60.0 0.0.0.255

permit ip 10.0.1.0 0.0.0.255 any

ip access-list extended aclNat

permit ip 10.0.1.0 0.0.0.255 any

!

logging trap debugging

access-list 101 permit ip 10.0.1.0 0.0.0.255 172.0.60.0 0.0.0.255

access-list 103 permit tcp host 0.0.0.0 host 180.180.180.180

dialer-list 1 protocol ip permit

no cdp run

!

!

!

!

route-map rmNatIn2Out permit 10

match ip address NAT-ACL

!

!

control-plane

!

Labels:
0 Helpful
1 Reply 1

ninterface
Level 1
Level 1

‎08-03-2012 08:03 PM

ASA configuration on the other side of tunnel.

ASA Version 8.2(5)

!

hostname ASA

domain-name ninterface.com

names

name 14.14.14.14 outside description outside interface

name 10.0.1.0 central description central office

!

interface Ethernet0/0

switchport access vlan 2

!

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

pppoe client vpdn group iiNet

ip address pppoe setroute

!

ftp mode passive

clock timezone EST 10

dns domain-lookup inside

dns domain-lookup outside

dns server-group DefaultDNS

domain-name ninterface.com

dns server-group MainDNSList

name-server 203.0.178.191

name-server 8.8.8.8

domain-name ninterface.com

dns-group MainDNSList

object-group network obj_any

object-group icmp-type ICMP-INBOUND

description Permit necessary inbound ICMP traffic

icmp-object echo-reply

icmp-object unreachable

icmp-object time-exceeded

object-group service DS_TOR tcp-udp

description group of ports to the hub for TOR

port-object eq 29898

port-object eq 29899

port-object eq 29900

port-object eq 29901

port-object eq 29902

port-object eq 29903

port-object eq 29904

port-object eq 29905

port-object eq 29906

port-object eq 29907

port-object eq 29908

port-object eq 29909

port-object eq 29910

object-group service DM_INLINE_TCP_1 tcp

port-object eq 2222

port-object eq 29922

port-object eq 5000

port-object eq 5001

port-object eq 7000

port-object eq 873

port-object eq www

port-object eq 7001

group-object DS_TOR

object-group service DM_INLINE_SERVICE_1

service-object tcp eq 3074

service-object tcp eq 88

service-object tcp eq domain

service-object udp eq 3074

service-object udp eq domain

access-list INBOUND extended permit icmp any any object-group ICMP-INBOUND

access-list INBOUND remark chiang access list

access-list INBOUND extended permit tcp any host outside object-group DM_INLINE_TCP_1

access-list INBOUND remark xbox access

access-list INBOUND extended permit object-group DM_INLINE_SERVICE_1 any host outside

access-list INBOUND extended permit ip central 255.255.255.0 172.0.60.0 255.255.255.0

access-list outside_1_cryptomap extended permit ip 172.0.60.0 255.255.255.0 central 255.255.255.0

access-list inside_nat0_outbound extended permit ip 172.0.60.0 255.255.255.0 central 255.255.255.0

access-list SecLanTraffic extended permit ip 172.0.60.0 255.255.255.0 central 255.255.255.0

pager lines 24

logging enable

logging asdm informational

mtu inside 1492

mtu outside 1492

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 172.0.60.0 255.255.255.0

access-group INBOUND in interface outside

route outside 0.0.0.0 0.0.0.0 203.215.9.250 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication enable console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication ssh console LOCAL

aaa authorization exec authentication-server

http server enable

http 172.0.60.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no sysopt connection permit-vpn

auth-prompt prompt Yo you flute me?

auth-prompt accept in

auth-prompt reject out

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer 150.101.181.62

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 1 set nat-t-disable

crypto map outside_map 1 set reverse-route

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 28800

telnet timeout 2

ssh 172.0.60.0 255.255.255.0 inside

ssh timeout 5

console timeout 0

management-access inside

vpdn group iiNet request dialout pppoe

vpdn group iiNet localname UNAME

vpdn group iiNet ppp authentication pap

vpdn username UNAME password ***** store-local

dhcpd auto_config outside

!

dhcpd address 172.0.60.1-172.0.60.36 inside

dhcpd dns 203.0.178.191 8.8.8.8 interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username admin password Q8Mi1MQB4nIkEh1X encrypted privilege 15

tunnel-group REMOTEROUTERIP type ipsec-l2l

tunnel-group REMOTEROUTERIP ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

0 Helpful
Customers Also Viewed These Support Documents