Solved: Route-based VPN -Who is initiator

prestigio391 · ‎12-16-2020

Helo guys,

I

have a problem with my route-based VPN on IKEV2. question is why isnt ASA1 allowed create Ipsec tunel from inside interface.

When comunication cames from outside IPSEC comes UP. But when is Ipsec down and i initiate traffic from my PC in inside interface tunnel is stil down and comes up only in case of ping from DC monitoring so form ASA2 to ASA1.

Between Tunel interfaces is dynamic routing on BGP.

Why ?

Thanks for answer and help

prestigio391 · ‎01-18-2021

Added static route to cfg solved the issue...

Thanks a lot for responses

View solution in original post

Rob Ingram · ‎12-17-2020

Hi @prestigio391

If using a route based VPN with a VTI then the tunnel is always up, unlikely a Policy Based VPN (crypto map) which requires interesting traffic to be sent in order to establish a VPN tunnel.

Provide a screenshot of what exactly you are referring to when you say ipsec is down.

You should check you have a NAT exemption rule configured on both ASAs, to ensure traffic is not unintentially being natted.

You can run the command "show crypto ipsec sa" and confirm with encaps|decaps counters are increasing when you run the ping.

prestigio391 · ‎12-17-2020

ah have no nat ruel for this traffic...Because my tie breaker is routing not nat..So if ia have tunnels down and bgp is not UP how my traffic know where to go ?

As you mentioned that tunnel interface is stull up is not true :

LICY-ASA# clear
ASA# clear cry ikev
ASA# clear cry ikev2 sa
ASA# sh cry isa sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:209, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id Local Remote Status Role
1055125047 xxx.xxx.xxx.xxx/500 yyy.yyy.yyy.yyy/500 DELETE INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/3 sec
ASA# sh bgp summ
BGP router identifier xxx.xxx.xxx.xxx, local AS number 64011
BGP table version is 122, main routing table version 122
1 network entries using 200 bytes of memory
1 path entries using 80 bytes of memory
3/1 BGP path/bestpath attribute entries using 624 bytes of memory
2 BGP AS-PATH entries using 64 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 968 total bytes of memory
BGP activity 49/42 prefixes, 49/48 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.200.254.17 4 64020 0 0 1 0 0 00:00:09 Idle

ASA# ping liCY-LAN 10.110.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.110.10.5, timeout is 2 seconds:
??
Success rate is 0 percent (0/2)
ASA# sh int ip brief
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 xxx.xxx.xxx.xxx YES CONFIG up up
GigabitEthernet1/2 192.168.1.1 YES unset up up
GigabitEthernet1/2.99 10.220.10.1 YES CONFIG up up
BVI1 192.168.1.1 YES CONFIG up up
Tunnel1 10.200.254.19 YES manual down down
ASA# sh cry ipsec sa

There are no ipsec sas
ASA# ping liCY-LAN 10.110.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.110.10.5, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA# clear
ASA# clear bg
ASA# clear bgp * so
ASA# clear bgp * soft
ASA#
ASA# sh cry isa sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:221, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id Local Remote Status Role
1339388541 xxx.xxx.xxx.xxx/500 yyy.yyy.yyy.yyy/500 DELETE INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/13 sec
ASA# ping liCY-LAN 10.110.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.110.10.5, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA# sh rou 10.110.10.5
ASA# sh rou 10.110.10.5

% Subnet not in table

ASA# sh int ip brief
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 xxx.xxx.xxx.xxx YES CONFIG up up
GigabitEthernet1/2 192.168.1.1 YES unset up up
GigabitEthernet1/2.99 10.220.10.1 YES CONFIG up up
GigabitEthernet1/3 192.168.1.1 YES unset down down
GigabitEthernet1/4 192.168.1.1 YES unset down down
GigabitEthernet1/5 192.168.1.1 YES unset down down
GigabitEthernet1/6 192.168.1.1 YES unset down down
GigabitEthernet1/7 192.168.1.1 YES unset down down
GigabitEthernet1/8 192.168.1.1 YES unset down down
Internal-Control1/1 127.0.1.1 YES unset up up
Internal-Data1/1 unassigned YES unset up up
Internal-Data1/2 unassigned YES unset up up
Internal-Data1/3 unassigned YES unset up up
Internal-Data1/4 169.254.1.1 YES unset up up
Management1/1 unassigned YES DHCP up up
BVI1 192.168.1.1 YES CONFIG up up
Tunnel1 10.200.254.19 YES manual down down
ASA# sh int ip brief
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 xxx.xxx.xxx.xxx YES CONFIG up up
GigabitEthernet1/2 192.168.1.1 YES unset up up
GigabitEthernet1/2.99 10.220.10.1 YES CONFIG up up
GigabitEthernet1/3 192.168.1.1 YES unset down down
GigabitEthernet1/4 192.168.1.1 YES unset down down
GigabitEthernet1/5 192.168.1.1 YES unset down down
GigabitEthernet1/6 192.168.1.1 YES unset down down
GigabitEthernet1/7 192.168.1.1 YES unset down down
GigabitEthernet1/8 192.168.1.1 YES unset down down
Internal-Control1/1 127.0.1.1 YES unset up up
Internal-Data1/1 unassigned YES unset up up
Internal-Data1/2 unassigned YES unset up up
Internal-Data1/3 unassigned YES unset up up
Internal-Data1/4 169.254.1.1 YES unset up up
Management1/1 unassigned YES DHCP up up
BVI1 192.168.1.1 YES CONFIG up up
Tunnel1 10.200.254.19 YES manual down down
ASA# sh int ip brief
Interface IP-Address OK? Method Status Protocol
Virtual0 127.1.0.1 YES unset up up
GigabitEthernet1/1 xxx.xxx.xxx.xxx YES CONFIG up up
GigabitEthernet1/2 192.168.1.1 YES unset up up
GigabitEthernet1/2.99 10.220.10.1 YES CONFIG up up
Management1/1 unassigned YES DHCP up up
BVI1 192.168.1.1 YES CONFIG up up
Tunnel1 10.200.254.19 YES manual up up
ASA# sh bgp summ
BGP router identifier xxx.xxx.xxx.xxx, local AS number 64011
BGP table version is 122, main routing table version 122
1 network entries using 200 bytes of memory
1 path entries using 80 bytes of memory
1/1 BGP path/bestpath attribute entries using 208 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 488 total bytes of memory
BGP activity 49/48 prefixes, 49/48 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.200.254.17 4 64020 0 0 1 0 0 00:02:12 Idle

ASA# ping liCY-LAN 10.110.10.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.110.10.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/66/70 ms
ASA# sh bgp summ
BGP router identifier xxx.xxx.xxx.xxx, local AS number 64011
BGP table version is 132, main routing table version 132
7 network entries using 1400 bytes of memory
7 path entries using 560 bytes of memory
3/3 BGP path/bestpath attribute entries using 624 bytes of memory
2 BGP AS-PATH entries using 64 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2648 total bytes of memory
BGP activity 55/48 prefixes, 55/48 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.200.254.17 4 64020 7 5 122 0 0 00:00:10 6

ASA# sh run router bgp
router bgp 64011
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 10.200.254.17 remote-as 64020
neighbor 10.200.254.17 activate
network 10.220.10.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
!
ASA#

ASA# packet-tracer in licy-LAN icmp 10.220.10.43 8 0 10.100.10.5

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.200.254.17 using egress ifc AEJR

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group 199 in interface LICY-LAN
access-list 199 extended permit ip object-group LICY-LAN any
object-group network LICY-LAN
network-object 10.220.10.0 255.255.255.0
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map firepower_aere
match any
policy-map global_policy
class firepower_aere
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 288557, packet dispatched to next module

Result:
input-interface: LICY-LAN
input-status: up
input-line-status: up
output-interface: AEJR
output-status: up
output-line-status: up
Action: allow

Rob Ingram · ‎12-17-2020

A VTI does not require interesting traffic in order to establish and is always up assuming, IPSec has been established correctly.

A VTI can be configured to be an initiator or repsonder or both - Provide your configuration for review.

Shutdown the tunnel interfaces, clear crypto ipsec and ikev2 sa and no shut the interfaces, then check if the tunnels are up - check the output of "show crypto ipsec sa".

prestigio391 · ‎12-17-2020

cfg of vti :

interface Tunnel1
nameif XXX
ip address 10.200.254.19 255.255.255.248
tunnel source interface outside
tunnel destination yyy.yyy.yyy.yyy
tunnel mode ipsec ipv4
tunnel protection ipsec profile XXX

Rob Ingram · ‎12-17-2020

This doesn't tell me enough. Please provide the full configuration of both ASAs, remove the public IP addresses etc.

MHM Cisco World · ‎12-17-2020

you config IKEv2 with respond-only that why ASA couldn't build IPSec, remove this command and test again

prestigio391 · ‎01-18-2021

Added static route to cfg solved the issue...

Thanks a lot for responses