Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
739
Views
0
Helpful
3
Replies

Multiple Out interface - VPN tunnel issue

ashwin_1212
Level 1
Level 1

‎01-28-2020 02:44 AM

Hello Guys,

 

I have been facing issues in setting up a VPN tunnel between a device behind network 20.X.X.X and our ASA on out1 interface 208.X.X.11. the VPN traffic hits the outside3 interface on the ASA however when I run a packet capture i don't see the udp packets (Isakmp) being forwarded to the Out1 interface.

 

when we run the packet tracer we get an error "no route to Host"


ASA2# packet-tracer input outside3 udp 20.X.X.1 isakmp 208.X.X.11 isakmp detailed

Result:
input-interface: Outside3
input-status: up
input-line-status: up
Action: drop
Drop-reason: (no-route) No route to host

 

 

we already have the below route added and the interface route is being reflected under the routing table

route added: route Outside3 20.X.X.1 255.255.255.255 192.168.20.1

 

Asa VPN.png

 

 

can anyone help me how can I have the ISAKMP traffic pass through out3 inter and enable the tunnel to be established using Out1 interface?

 

 

Labels:
Preview file
15 KB
0 Helpful
3 Replies 3

curdubanbogdan
Level 1
Level 1

‎01-28-2020 03:36 AM

Does the router has route to outside 1 network? (I guess it's a default route being a stub network)

 

You can do one to one nat for both outside networks when the destination si 20.x.x.x

 

tnx. 

0 Helpful

ashwin_1212
Level 1
Level 1
In response to curdubanbogdan

‎01-28-2020 05:21 AM

Hi, thanks for helping.

 

the outside1 is a directly connected interface on the ASA. & the default route is set to use outside interface(directly connected as well). 

 

Asa VPN.png

 

while I have other VPN tunnels terminating on the Out1 interface with the destination as same interface(out1), it is just this particular VPN connection setup which is not being established where the source is behind Out4 interface which is trying to have a VPN session with the Out1 Interface IP. and this is where i see that the ISAKMP traffic from remote peer is seen to hit Out4 interface but there is no packet trace of udp traffic passing through Out 4 interface and ingress into Out1 Interface.

 

PS: The security level on both Out4 & out1 interface is set to 0.

0 Helpful

Rob Ingram
VIP
VIP
In response to ashwin_1212

‎01-28-2020 06:48 AM

Hi,
If the remote peer is accessed via interface OUT3, then you will have to enable peer with it using that interface. You cannot route through the ASA and peer with it using the OUT1 interface.

You will need enable IKEv1 or IKEv2 on OUT3 interface.

HTH
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents