Solved: No routing into VPN-tunnel through NAT

holger.weinel · ‎01-28-2011

Hi,

we are using Cisco ASA 5520 in active/standby configuration running version 8.2 (2)

we use it as a VPN gateway. To ensure to have no routing conflicts with several internal networks we nat all incomming vpn traffic poiting to a group of hosts to the internal interface ip.

We have the problem, if a vpn connected source IP try to reach through the tunnel a destination IP which ist not in the group for NAT, all of the traffic runs into SYN-timout. In tcpdump we could see that after that, ASA sends no mor answer (Syn-ACK) to TCP SYN packets to this IP through the tunnel.

Here are the questions:

What is the command to find those connections?

We can see:

sh conn | inc aB

TCP outside 66.77.88.1(10.1.1.1):63674 inside 66.77.88.99:60124, idle 0:00:00, bytes 0, flags aB

TCP outside 66.77.88.1(10.1.1.1):39808 inside 66.77.88.99:60124, idle 0:00:03, bytes 0, flags aB

TCP outside 66.77.88.1(10.1.1.1):47566 inside 66.77.88.99:60124, idle 0:00:05, bytes 0, flags aB

TCP outside 66.77.88.1(10.1.1.1):10166 inside 66.77.88.99:60124, idle 0:00:00, bytes 0, flags aB

TCP outside 66.77.88.1(10.1.1.1):59205 inside 66.77.88.99:60124, idle 0:00:00, bytes 0, flags aB

TCP outside 66.77.88.1(10.1.1.1):25251 inside 66.77.88.99:60124, idle 0:00:00, bytes 0, flags aB

TCP outside 66.77.88.1(10.1.1.1):26516 inside 66.77.88.99:60124, idle 0:00:03, bytes 0, flags aB

TCP outside 66.77.88.1(10.1.1.1):53254 inside 66.77.88.99:60124, idle 0:00:08, bytes 0, flags aB

clear crypto ipsec sa peer x.x.x.x

clear crypto isakmp sa x.x.x.x

clear xlate interface inside local 10.1.1.1

doesn’t solve the problem. Are the commands to solve the problem without booting the device? When the tunnel comes up we could see the connections again with the flags aB“

Kind regards

Holger

ramds · ‎01-31-2011

Hi Holger,

It would be great if you can attach the running configuration from both the devices and also be specific in explaining the scenario(like with ip address, what source and dest etc.).

--

Ramya

-- Please rate the solutions.

View solution in original post

andamani · ‎02-02-2011

Hi,

i don't see crypto map applied on the interface as per configuration attached.

Regards,

Anisha

View solution in original post

andamani · ‎02-03-2011

Hi,

You need to have the crypto map applied to the interface

E.g.

interface fa0/0

crypto map outside_map

this is usually applied on the outside interface i.e. where the tunnel is terminating. Without this command the tunnel will not be initiated.

i don't see that command in the configuration.

crypto isakmp enable outside -- enables the outside interface to listen to isakmp

the access-list specifies the interesting traffic to pass through the tunnel

hope it clears my question.

Regards,

Anisha

View solution in original post

ramds · ‎01-31-2011

Hi Holger,

It would be great if you can attach the running configuration from both the devices and also be specific in explaining the scenario(like with ip address, what source and dest etc.).

--

Ramya

-- Please rate the solutions.

holger.weinel · ‎02-02-2011

Hi Ramya,

see an excerpt of our configuration modified to fictive IP addresses is attached.

In our logserver we could see the following entrys as in file 10.1.1.1 also with fictive IP adrresses.

Best regards

Holger

andamani · ‎02-02-2011

Hi,

i don't see crypto map applied on the interface as per configuration attached.

Regards,

Anisha

holger.weinel · ‎02-03-2011

Hi Anisha,

the statement

crypto map outside_map 29 match address 129

matches

access-list 129 extended permit ip 66.77.88.0 255.255.255.192 host 10.1.1.1

also enables is

crypto isakmp enable outside

Was this the answer to your question?

Regards,

Holger

andamani · ‎02-03-2011

Hi,

You need to have the crypto map applied to the interface

E.g.

interface fa0/0

crypto map outside_map

this is usually applied on the outside interface i.e. where the tunnel is terminating. Without this command the tunnel will not be initiated.

i don't see that command in the configuration.

crypto isakmp enable outside -- enables the outside interface to listen to isakmp

the access-list specifies the interesting traffic to pass through the tunnel

hope it clears my question.

Regards,

Anisha

holger.weinel · ‎02-10-2011

Hi,

the syntax has changed I guess.

Here the syntax we use on version 8.22:

crypto map outside_map interface outside

I only forgot to put it in the configuration excerpt. The sample is completed and again attached.

My main problem is to find the command to clear this sessions with the state aB

Regards,

Holger

holger.weinel · ‎02-24-2011

Hi,

did I write anything wrong? If got no new posting since a view days.

Else I mention that only a reboot helps to bring the Cisco ASA back into operational state for all VPN-tunnels. :-(

One more tunnel was affected to this problem and we need to migrate it to an alternate VPN-gateway.

Any idea?

Regards

Holger

holger.weinel · ‎05-02-2011

Today I had a conference call with Rahul

Ilwadhi from Cisco.

We figured out the solution of the problem:

We did a migration from version 7.24 to version 8.22

The systop connection reclassify-vpn didn't exist on version 7.24.

So through the configuration conversion it was set to

no sysopt connection reclassify-vpn

This causes that after the link down on external interface the routing for this tunnel didn't work anymore.

Enabeling

sysopt connection reclassify-vpn

fixes the problem.

Thank you Rahul for the great support.

Best regards.

Holger