01-28-2011 05:50 AM
Hi,
we are using Cisco ASA 5520 in active/standby configuration running version 8.2 (2)
we use it as a VPN gateway. To ensure to have no routing conflicts with several internal networks we nat all incomming vpn traffic poiting to a group of hosts to the internal interface ip.
We have the problem, if a vpn connected source IP try to reach through the tunnel a destination IP which ist not in the group for NAT, all of the traffic runs into SYN-timout. In tcpdump we could see that after that, ASA sends no mor answer (Syn-ACK) to TCP SYN packets to this IP through the tunnel.
Here are the questions:
What is the command to find those connections?
We can see:
sh conn | inc aB
TCP outside 66.77.88.1(10.1.1.1):63674 inside 66.77.88.99:60124, idle 0:00:00, bytes 0, flags aB
TCP outside 66.77.88.1(10.1.1.1):39808 inside 66.77.88.99:60124, idle 0:00:03, bytes 0, flags aB
TCP outside 66.77.88.1(10.1.1.1):47566 inside 66.77.88.99:60124, idle 0:00:05, bytes 0, flags aB
TCP outside 66.77.88.1(10.1.1.1):10166 inside 66.77.88.99:60124, idle 0:00:00, bytes 0, flags aB
TCP outside 66.77.88.1(10.1.1.1):59205 inside 66.77.88.99:60124, idle 0:00:00, bytes 0, flags aB
TCP outside 66.77.88.1(10.1.1.1):25251 inside 66.77.88.99:60124, idle 0:00:00, bytes 0, flags aB
TCP outside 66.77.88.1(10.1.1.1):26516 inside 66.77.88.99:60124, idle 0:00:03, bytes 0, flags aB
TCP outside 66.77.88.1(10.1.1.1):53254 inside 66.77.88.99:60124, idle 0:00:08, bytes 0, flags aB
clear crypto ipsec sa peer x.x.x.x
clear crypto isakmp sa x.x.x.x
clear xlate interface inside local 10.1.1.1
doesn’t solve the problem. Are the commands to solve the problem without booting the device? When the tunnel comes up we could see the connections again with the flags aB“
Kind regards
Holger
Solved! Go to Solution.
01-31-2011 09:03 PM
Hi Holger,
It would be great if you can attach the running configuration from both the devices and also be specific in explaining the scenario(like with ip address, what source and dest etc.).
--
Ramya
-- Please rate the solutions.
02-02-2011 07:37 AM
Hi,
i don't see crypto map applied on the interface as per configuration attached.
Regards,
Anisha
02-03-2011 08:14 AM
Hi,
You need to have the crypto map applied to the interface
E.g.
interface fa0/0
crypto map outside_map
this is usually applied on the outside interface i.e. where the tunnel is terminating. Without this command the tunnel will not be initiated.
i don't see that command in the configuration.
crypto isakmp enable outside -- enables the outside interface to listen to isakmp
the access-list specifies the interesting traffic to pass through the tunnel
hope it clears my question.
Regards,
Anisha
01-31-2011 09:03 PM
Hi Holger,
It would be great if you can attach the running configuration from both the devices and also be specific in explaining the scenario(like with ip address, what source and dest etc.).
--
Ramya
-- Please rate the solutions.
02-02-2011 03:10 AM
02-02-2011 07:37 AM
Hi,
i don't see crypto map applied on the interface as per configuration attached.
Regards,
Anisha
02-03-2011 06:11 AM
Hi Anisha,
the statement
crypto map outside_map 29 match address 129
matches
access-list 129 extended permit ip 66.77.88.0 255.255.255.192 host 10.1.1.1
also enables is
crypto isakmp enable outside
Was this the answer to your question?
Regards,
Holger
02-03-2011 08:14 AM
Hi,
You need to have the crypto map applied to the interface
E.g.
interface fa0/0
crypto map outside_map
this is usually applied on the outside interface i.e. where the tunnel is terminating. Without this command the tunnel will not be initiated.
i don't see that command in the configuration.
crypto isakmp enable outside -- enables the outside interface to listen to isakmp
the access-list specifies the interesting traffic to pass through the tunnel
hope it clears my question.
Regards,
Anisha
02-10-2011 05:21 AM
Hi,
the syntax has changed I guess.
Here the syntax we use on version 8.22:
crypto map outside_map interface outside
I only forgot to put it in the configuration excerpt. The sample is completed and again attached.
My main problem is to find the command to clear this sessions with the state aB
Regards,
Holger
02-24-2011 09:48 AM
Hi,
did I write anything wrong? If got no new posting since a view days.
Else I mention that only a reboot helps to bring the Cisco ASA back into operational state for all VPN-tunnels. :-(
One more tunnel was affected to this problem and we need to migrate it to an alternate VPN-gateway.
Any idea?
Regards
Holger
05-02-2011 03:03 AM
Today I had a conference call with Rahul
Ilwadhi from Cisco.
We figured out the solution of the problem:
We did a migration from version 7.24 to version 8.22
The systop connection reclassify-vpn didn't exist on version 7.24.
So through the configuration conversion it was set to
no sysopt connection reclassify-vpn
This causes that after the link down on external interface the routing for this tunnel didn't work anymore.
Enabeling
sysopt connection reclassify-vpn
fixes the problem.
Thank you Rahul for the great support.
Best regards.
Holger
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: