cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
644
Views
0
Helpful
3
Replies

L2L VPN tunnel filter does not work as expected.

rizwanr74
Rising star
Rising star

Hi Guys,.

 

I have strange problem with VPN filter that I have on my L2L IPSect tunnel on ASA.

 

access-list MY_VPN_Filter extended permit tcp host 20.183.75.152 eq 1414 host 16.19.56.60
access-list MY_VPN_Filter extended permit tcp host 20.183.75.152 eq 1414 host 16.19.56.61


works: access-list MY_VPN_Filter extended permit tcp host 20.183.75.152 eq 1416 host 16.19.56.61
works: access-list MY_VPN_Filter extended permit tcp host 20.183.75.152 eq 1416 host 16.19.56.60

 

When our hosts initiate traffic: 16.19.56.60 and 16.19.56.61, traffic go to destination port 1416, it works.

When remote host: 20.183.75.152 initiate traffic they come to port: 1414, it does not work.

 

I don't know what causing the issue, in the VPN port filter ACL.

 

I also tried this way, but it didn't help.

access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.60 eq 1414
access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.61 eq 1414

 

Any thoughts.

 

Thx

Rizwan Rafeek

1 Accepted Solution

Accepted Solutions

Hello @rizwanr74,

 

Yes, you need to coordinate this with the Remote end in order to check what is going with the connection, i will also suggest to use this lines in the VPN Filter: 

 

access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.60 eq 1414
access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.61 eq 1414

 

Let me know the results once you have them. 

 

HTH

Gio

View solution in original post

3 Replies 3

GioGonza
Enthusiast
Enthusiast

Hello @rizwanr74

 

 

When you changed the ACL, did you bounce the VPN tunnel and tested the connection again?

 

If you make changes on the VPN Filter but you don´t bounce the tunnel, the ASA will remain with the old entries and it doesn´t show the new ones unless you start the tunnel one more time. 

 

If you already did it, run the following commands: 

 

1. Run the command, clear asp-drop

2. Place a capture for Asp-Drops, capture asp type asp-drop all

3. Perform the test and check the capture, verify if the traffic is being dropped. 

4. Run the command, show asp-drop, in order to see the reason for the Drop. 

 

HTH

Gio

Hi Gio,

 

Thank for you very much for your post, appreciated.

Yes, after changing the ACL, I killed the phase 2 and phase 1.

 

About the doing the capture, I could try but it is difficult to coordination with remote system admin (Intel) to initiate traffic from remote-end.

 

I will keep you posted.

Thanks again for your input.

 

thx

Rizwan Rafeek

Hello @rizwanr74,

 

Yes, you need to coordinate this with the Remote end in order to check what is going with the connection, i will also suggest to use this lines in the VPN Filter: 

 

access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.60 eq 1414
access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.61 eq 1414

 

Let me know the results once you have them. 

 

HTH

Gio

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: