Problem within VPN site-to-site and NAT-T

tgentile01 · ‎10-20-2010

Hi do every,

I have a problem about a VPN site-to-site from an ASA 5520 (Nat Traversal) and a Cisco 1481 router (not Nat Traversal).

The tunnel start correctly and works properly with some protocols, but doen't work with other one.

In one side use NAT-T ecapsulation and in the other use Tunnel UDP-Encaps.

For example, HTTP works, TeamViewer Works, Ultra VNC Works.

Remote Desktop doen't workd, same that other kind of application. When one of that application start, the tunnel go down in the ASA side, and stay up in 1841 (but nothing works).

ASA is before a network balancer (Peplink), so is Peplink that do Nat for outside network.

LAN address 192.168.1.5 is natting (but extemped in Tunnel) as 172.16.0.5 and peplink nat with a public IP address.

Similari, ASA is 172.16.0.254 and peplink nat it with another public ip address.

The 'sh crypto ipsec sa' is:

Router:

interface: Serial0/0/0.1
Crypto map tag: SDM_CMAP_1, local addr 151.8.x.x

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer x.x.x.x port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 17, #pkts encrypt: 17, #pkts digest: 17
    #pkts decaps: 18, #pkts decrypt: 18, #pkts verify: 18
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 151.8.x.x, remote crypto endpt.: 151.13.x.x
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0/0.1
     current outbound spi: 0x7E27190C(2116491532)

     inbound esp sas:
      spi: 0xDF2F7622(3744429602)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2003, flow_id: FPGA:3, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4515499/2974)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x7E27190C(2116491532)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2004, flow_id: FPGA:4, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4515499/2974)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

ASA:

interface: Outside
Crypto map tag: Outside_map1, seq num: 1, local addr: 172.16.0.254

      access-list Outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255
.0 192.168.0.0 255.255.255.0
      local ident (addr/mask/prot/port): (SDLANLOTTO23/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (SCLAN/255.255.255.0/0/0)
      current_peer: scextrouter

      #pkts encaps: 18, #pkts encrypt: 18, #pkts digest: 18
      #pkts decaps: 17, #pkts decrypt: 17, #pkts verify: 17
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 18, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.0.254/4500, remote crypto endpt.: scextrouter/
4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: DF2F7622
      current inbound spi : 7E27190C

    inbound esp sas:
      spi: 0x7E27190C (2116491532)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 962560, crypto-map: Outside_map1
         sa timing: remaining key lifetime (kB/sec): (4373999/2798)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000003
    outbound esp sas:
      spi: 0xDF2F7622 (3744429602)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 962560, crypto-map: Outside_map1
         sa timing: remaining key lifetime (kB/sec): (4373999/2798)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Output for 'sh crypto isakmp sa' is:

Router:

IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
151.13.x.x 151.8.x.x QM_IDLE 1001 0 ACTIVE

ASA:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: scextrouter
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

Someone had in the past same problem?

It's possible to resolve it?

Thanks.

Jennifer Halim · ‎10-20-2010

Doesn't seem to be VPN issue if other applications but RDP works through the VPN tunnel.

I would think it is more an MSS issue.

Try lowering the MSS on either the router or the ASA:

ASA: sysopt connection tcpmss 1300

Router: ip tcp adjust-mss 1300 (on the LAN interface)

tgentile01 · ‎10-21-2010

Thank you Jennifer.

The problem is correct with your solution.

You are great.

Regards.

Jennifer Halim · ‎10-21-2010

Excellent stuff. Pls kindly mark the post as anwered if you have no further questions. Thanks.

tgentile01 · ‎10-21-2010

Sorry,

I can't found where I can mark discussion as answered.