Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
3
Helpful
7
Replies

Packet capture VPN SYN Error - No return traffic

Go to solution
m.s.rees1
Level 1
Level 1

‎08-17-2023 01:16 AM

Hi,

We are getting no response from a server over a VPN and the only thing I am getting with a packet capture is below. Can anyone point me in the right direction as to where the issue is? You can see the traffic outbound with data, but nothing ever returns.

msrees1_1-1692260007789.png

msrees1_0-1692259980027.png

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to m.s.rees1

‎08-17-2023 01:59 AM

@m.s.rees1 well I can determine you are intentially translating traffic to 192.168.190.35, so traffic is not unintentially translated behind the ASA outside interface IP, which is a common problem. So from what I can tell your configuration seems ok. Contact the peer and review the configuration and troubleshoot with them.

View solution in original post

7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

‎08-17-2023 01:22 AM

@m.s.rees1 run packet-tracer from the CLI of your ASA to confirm traffic is allowed and not unintentially NAT translated. Check "show crypto ipsec sa" and determine whether the encaps counters are increasing. If the decaps counters are not increasing then the peer is not returning traffic, the peer needs to check traffic is permitted on their firewall and the traffic is not unintentially translated.

Go to solution
m.s.rees1
Level 1
Level 1
In response to Rob Ingram

‎08-17-2023 01:32 AM - edited ‎08-17-2023 01:33 AM

Thanks for the reply. When running packet tracer all phases show ALLOW, with this as the end result:

msrees1_0-1692260974082.png

The Show crypto ipsec sa retruns the following:

msrees1_1-1692261063106.png

So I am getting 0 on the decaps. Do you think that is pointing to the peer, or could it still be my end?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to m.s.rees1

‎08-17-2023 01:43 AM

@m.s.rees1 if your packet-tracer action is "allow" and you are encrypting the traffic and not receiving any return traffic, this generally points to a problem with the peer.

I assume packet-tracer confirms your crypto ACL is correct and traffic is not unintentially translated? If yes, talk to the peer.

0 Helpful

Go to solution
m.s.rees1
Level 1
Level 1
In response to Rob Ingram

‎08-17-2023 01:49 AM

Right ok, this my full capture:

We do have a NAT in place. My 172 address is using the NAT address 192.168.190.35, which you can see in phase 4. Does this look good?

packet-tracer input inside tcp 172.22.26.202 1234 192.168.190.2 http

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static server server_nat destination static peer_remote peer_remote
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.190.2/80 to 192.168.190.2/80

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static server server_nat destination static peer_remote peer_remote
Additional Information:
Static translate 172.22.26.202/1234 to 192.168.190.35/1234

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static server server_nat destination static peer_remote peer_remote
Additional Information:

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 8955569, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to m.s.rees1

‎08-17-2023 01:59 AM

@m.s.rees1 well I can determine you are intentially translating traffic to 192.168.190.35, so traffic is not unintentially translated behind the ASA outside interface IP, which is a common problem. So from what I can tell your configuration seems ok. Contact the peer and review the configuration and troubleshoot with them.

Go to solution
m.s.rees1
Level 1
Level 1
In response to Rob Ingram

‎08-17-2023 02:01 AM

Great, thankyou for your input.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎08-17-2023 04:09 AM - edited ‎08-17-2023 04:10 AM

Hi

I send you message to guide you how solve issue' check it.

Customers Also Viewed These Support Documents