Packet tracer output- what ACL is dropping this L2L VPN traffic? - Page 3

jmaxwellUSAF · ‎01-25-2023

Hello. Please view below packet tracer output...

ASA1120# packet-tracer input inside icmp (!! ip of my inside_in interface !!) 8 0 (!! ip of remote inside interface through L2L tunnel !!) $

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 37888 ns
Config:
nat (inside,outside) source static MY-LAN-NETWORK-1 MY-LAN-NETWORK-1 destination static VENDOR1-LAN-NETWORK-1 VENDOR1-LAN-NETWORK-1
Additional Information:
NAT divert to egress interface outside
Untranslate (!! ip of my inside_in interface !!)/0 to (!! ip of remote inside interface through L2L tunnel !!)/0

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Elapsed time: 9344 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f3e3daff3c0, priority=501, domain=permit, deny=true
hits=3, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=(!! ip of my inside_in interface !!), mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Time Taken: 47232 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000562a86cf3817 flow (NA)/NA

Below is the inside_in ACL, verified attached to the inside interface, AFTER packet tracer execution (hitcnt=0)...

access-list inside_in line 1 remark THIS ALLOWS TRAFFIC FROM SUBNET TO VENDOR1 SUBNET VIA L2L TUNNEL
access-list inside_in line 2 extended permit ip 172.16.1.0 255.255.255.0 172.16.8.0 255.255.255.0 (hitcnt=0) 0xedf8ec93

Possibly relevant (?)-- snippet from VPN config...
==========
8. Configure the ACL for VENDOR1_VPN_FILTER_ACL-1.
#access-list VENDOR1_VPN_FILTER_ACL-1 extended
#10 permit ip 172.16.8.0 255.255.255.0 172.16.1.0 255.255.255.0 (!! This seems to imply remote to local traffic. !!)

10. Configure Internal Group Policy & attributes.
#group-policy 2.2.2.2 internal
#group-policy 2.2.2.2 attributes
#vpn-filter VENDOR1_VPN_FILTER_ACL-1
#vpn-tunnel-protocol ikev2
#pfs enable
==========

Very relevant: Below data suggests/confirms that only 2 access lists are applied on this ASA,-- ACL inside_in on the inside interface, and ACL outside_in on the relevant outside1 interface.

ASA1120# sh run | inc access-group

access-group inside_in in interface inside
access-group outside_in in interface outside1

It seems the traffic is being dropped because it is first referencing a different ACL? What ACL would this be?

Thank you.

Rob Ingram · ‎01-27-2023

@jmaxwellUSAF the vendor has PFS group 2 defined, you don't have this defined in your configuration - though depending on your ASA version that could be the default. Either way define it "crypto map VENDOR1-cryptomap-1 1 set pfs group2".

FYI, group2 is very weak and on new ASA versions has been depreciated.

You don't have the IKEv2 Proposal/Policy information for the vendor, so cannot confirm it is identical.

The vendor has a transform-set called aes256-sha but haven't included what actually is configured, I can guess AES 256 but SHA, could be SHA1, SHA256, SHA 384 or SHA12. You have explictly configured SHA512 under the ipsec-proposal.

Request the IKEv2 Proposal/Policy and Transform Set information from the vendor to confirm they are identical to you.

You could also take a packet capture on the outside of the ASA for udp/500 from the vendor IP address, this will confirm the IKEv2 information received from the peer.

jmaxwellUSAF · ‎01-27-2023

Thank you for your very effective reply. I will be emailing the vendor after your next reply.

Please ponder the DH group data below...

ENTERPRISE1 config...
crypto ikev2 policy 100
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400
===

VENDOR1 config...
set transform-set aes256-sha
set pfs group2
set ikev2-profile ENTERPRISE1
match address ENTERPRISE1
===

data from Google...
"If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21"

So there exists three DH groups in play here.

1. Is there a downside to just using DH group 21 in both instances?

2. May you please suggest the best way to clean up these multiple DH groups?

3. "lifetime seconds 86400"-- Must this match on both endpoint configs?

Thank you.

Rob Ingram · ‎01-27-2023

@jmaxwellUSAF well there is no point using pfs group2 if you've used a stronger group (14) to establish the IKEv2 SA. Align both to either group 14 or ideally the stronger 21 (if supported on both peer devices).

For IKEv2 if the two ends have different lifetime policies, the end with the shorter lifetime will end up always being the one to request the rekeying.

MHM Cisco World · ‎01-25-2023

I will run lab and try do same config you use and compare the packet-tracer I get with you.

Rob Ingram · ‎01-25-2023

@jmaxwellUSAF don't use the ASA's interface when testing, test "through" the ASA, use a network behind the ASA.

#access-list VENDOR1_VPN_FILTER_ACL-1 extended
#10 permit ip 172.16.8.0 255.255.255.0 172.16.1.0 255.255.255.0 (!! This seems to imply remote to local traffic. !!)

A VPN Filter ACL is different to a normal ACL -

"When a vpn-filter is applied to a group-policy that governs a L2L VPN connection, the ACL should be configured with the remote network in the src_ip position of the ACL and the local network in the dest_ip position of the ACL." https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

MHM Cisco World · ‎01-26-2023

my lab was using IKEv1, I will use IKEv2
share with you how we can debug the Phase1 and Phase2 in ASA.
Thanks

jmaxwellUSAF · ‎01-26-2023

Progress. Below command shows NO ERRORS.
#packet-tracer input inside icmp 172.16.1.5 8 0 172.16.8.5 detail.
=====
But...
ASA1120# show crypto ipsec sa peer 2.2.2.2
There are no ipsec sas

ASA1120# sh vpn-sessiondb l2l
INFO: There are presently no active sessions

ASA1120# sh asp drop

Frame drop:
Flow is denied by configured rule (acl-drop) 1466
FP L2 rule drop (l2_acl) 1

May you please suggest next troubleshoot step?

Thank you.