10-20-2010 07:55 AM
Hi do every,
I have a problem about a VPN site-to-site from an ASA 5520 (Nat Traversal) and a Cisco 1481 router (not Nat Traversal).
The tunnel start correctly and works properly with some protocols, but doen't work with other one.
In one side use NAT-T ecapsulation and in the other use Tunnel UDP-Encaps.
For example, HTTP works, TeamViewer Works, Ultra VNC Works.
Remote Desktop doen't workd, same that other kind of application. When one of that application start, the tunnel go down in the ASA side, and stay up in 1841 (but nothing works).
ASA is before a network balancer (Peplink), so is Peplink that do Nat for outside network.
LAN address 192.168.1.5 is natting (but extemped in Tunnel) as 172.16.0.5 and peplink nat with a public IP address.
Similari, ASA is 172.16.0.254 and peplink nat it with another public ip address.
The 'sh crypto ipsec sa' is:
Router:
interface: Serial0/0/0.1
Crypto map tag: SDM_CMAP_1, local addr 151.8.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer x.x.x.x port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
#pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 151.8.x.x, remote crypto endpt.: 151.13.x.x
path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0.1
current outbound spi: 0x7E27190C(2116491532)
inbound esp sas:
spi: 0xDF2F7622(3744429602)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2003, flow_id: FPGA:3, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4515499/2974)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7E27190C(2116491532)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2004, flow_id: FPGA:4, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4515499/2974)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
ASA:
interface: Outside
Crypto map tag: Outside_map1, seq num: 1, local addr: 172.16.0.254
access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255
.0 192.168.0.0 255.255.255.0
local ident (addr/mask/prot/port): (SDLANLOTTO23/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (SCLAN/255.255.255.0/0/0)
current_peer: scextrouter
#pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
#pkts decaps: 17, #pkts decrypt: 17, #pkts verify: 17
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 18, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.16.0.254/4500, remote crypto endpt.: scextrouter/
4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: DF2F7622
current inbound spi : 7E27190C
inbound esp sas:
spi: 0x7E27190C (2116491532)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 962560, crypto-map: Outside_map1
sa timing: remaining key lifetime (kB/sec): (4373999/2798)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000003
outbound esp sas:
spi: 0xDF2F7622 (3744429602)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 962560, crypto-map: Outside_map1
sa timing: remaining key lifetime (kB/sec): (4373999/2798)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Output for 'sh crypto isakmp sa' is:
Router:
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
151.13.x.x 151.8.x.x QM_IDLE 1001 0 ACTIVE
ASA:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: scextrouter
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Someone had in the past same problem?
It's possible to resolve it?
Thanks.
10-20-2010 06:47 PM
Doesn't seem to be VPN issue if other applications but RDP works through the VPN tunnel.
I would think it is more an MSS issue.
Try lowering the MSS on either the router or the ASA:
ASA: sysopt connection tcpmss 1300
Router: ip tcp adjust-mss 1300 (on the LAN interface)
10-21-2010 02:44 AM
Thank you Jennifer.
The problem is correct with your solution.
You are great.
Regards.
10-21-2010 02:48 AM
Excellent stuff. Pls kindly mark the post as anwered if you have no further questions. Thanks.
10-21-2010 03:49 AM
Sorry,
I can't found where I can mark discussion as answered.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide