cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1158
Views
0
Helpful
3
Replies

L2L VPN tunnel filter does not work as expected.

rizwanr74
Level 7
Level 7

Hi Guys,.

 

I have strange problem with VPN filter that I have on my L2L IPSect tunnel on ASA.

 

access-list MY_VPN_Filter extended permit tcp host 20.183.75.152 eq 1414 host 16.19.56.60
access-list MY_VPN_Filter extended permit tcp host 20.183.75.152 eq 1414 host 16.19.56.61


works: access-list MY_VPN_Filter extended permit tcp host 20.183.75.152 eq 1416 host 16.19.56.61
works: access-list MY_VPN_Filter extended permit tcp host 20.183.75.152 eq 1416 host 16.19.56.60

 

When our hosts initiate traffic: 16.19.56.60 and 16.19.56.61, traffic go to destination port 1416, it works.

When remote host: 20.183.75.152 initiate traffic they come to port: 1414, it does not work.

 

I don't know what causing the issue, in the VPN port filter ACL.

 

I also tried this way, but it didn't help.

access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.60 eq 1414
access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.61 eq 1414

 

Any thoughts.

 

Thx

Rizwan Rafeek

1 Accepted Solution

Accepted Solutions

Hello @rizwanr74,

 

Yes, you need to coordinate this with the Remote end in order to check what is going with the connection, i will also suggest to use this lines in the VPN Filter: 

 

access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.60 eq 1414
access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.61 eq 1414

 

Let me know the results once you have them. 

 

HTH

Gio

View solution in original post

3 Replies 3

GioGonza
Level 4
Level 4

Hello @rizwanr74

 

 

When you changed the ACL, did you bounce the VPN tunnel and tested the connection again?

 

If you make changes on the VPN Filter but you don´t bounce the tunnel, the ASA will remain with the old entries and it doesn´t show the new ones unless you start the tunnel one more time. 

 

If you already did it, run the following commands: 

 

1. Run the command, clear asp-drop

2. Place a capture for Asp-Drops, capture asp type asp-drop all

3. Perform the test and check the capture, verify if the traffic is being dropped. 

4. Run the command, show asp-drop, in order to see the reason for the Drop. 

 

HTH

Gio

Hi Gio,

 

Thank for you very much for your post, appreciated.

Yes, after changing the ACL, I killed the phase 2 and phase 1.

 

About the doing the capture, I could try but it is difficult to coordination with remote system admin (Intel) to initiate traffic from remote-end.

 

I will keep you posted.

Thanks again for your input.

 

thx

Rizwan Rafeek

Hello @rizwanr74,

 

Yes, you need to coordinate this with the Remote end in order to check what is going with the connection, i will also suggest to use this lines in the VPN Filter: 

 

access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.60 eq 1414
access-list MY_VPN_Filter extended permit tcp host 20.183.75.152  host 16.19.56.61 eq 1414

 

Let me know the results once you have them. 

 

HTH

Gio