Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
3
Replies

S2S VPN - Unable to get tunnel UP

Go to solution
osoriojoe
Level 1
Level 1

‎07-18-2015 10:30 PM

I have been unable to get a site-to-site VPN up due to a configuration error that I cannot seem to correct

 

The topology is Server1>Hub>ASA-1ASA-2<Hub<Server2

 

When I initiate a ping from server 1 to server 2 to try to get the tunnel up I receive the following error:

%ASA-6-110002: Failed to locate egress interface for ICMP from inside:192.168.100.2/2655 to 192.168.200.2/0

Doesn't matter which side I am pinging from, I receive the error on both ASA's. Below is the config for both ASA's, thank you for any help.

 


!
hostname ASA-1
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 80.1.1.1 255.255.255.252
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
ftp mode passive
object network PC_LAN
 subnet 192.168.100.0 255.255.255.0
object network REMOTE_LAN
 subnet 192.168.200.0 255.255.255.0
access-list ACL-OUTSIDE-PING extended permit icmp any any
access-list LAB_S2S_VPN extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0 log
access-list LAB_S2S_VPN extended permit icmp 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0 log
pager lines 24
logging enable
logging buffer-size 6000
logging buffered debugging
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
arp timeout 14400
nat (inside,outside) source static PC_LAN PC_LAN destination static REMOTE_LAN REMOTE_LAN
access-group ACL-OUTSIDE-PING in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto map VPN_CRYPTO_MAP 1 match address LAB_S2S_VPN
crypto map VPN_CRYPTO_MAP 1 set peer 80.1.1.2
crypto map VPN_CRYPTO_MAP 1 set ikev1 transform-set ESP-AES-SHA
crypto map VPN_CRYPTO_MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 80.1.1.2 type ipsec-l2l
tunnel-group 80.1.1.2 ipsec-attributes
 ikev1 pre-shared-key *****

 

 

 


hostname ASA-2
!
interface GigabitEthernet0
 nameif outside
 security-level 0
 ip address 80.1.1.2 255.255.255.252
!
interface GigabitEthernet1
 nameif inside
 security-level 100
 ip address 192.168.200.1 255.255.255.0
!
interface GigabitEthernet2
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
object network PC_LAN
 subnet 192.168.200.0 255.255.255.0
object network REMOTE_LAN
 subnet 192.168.100.0 255.255.255.0
access-list ACL-OUTSIDE-PING extended permit icmp any any
access-list LAB_S2S_VPN extended permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0 log
access-list LAB_S2S_VPN extended permit icmp 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0 log
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static REMOTE_LAN REMOTE_LAN destination static PC_LAN PC_LAN
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac
crypto map VPN_CRYPTO_MAP 1 match address LAB_S2S_VPN
crypto map VPN_CRYPTO_MAP 1 set peer 80.1.1.1
crypto map VPN_CRYPTO_MAP 1 set ikev1 transform-set ESP-AES-SHA
crypto map VPN_CRYPTO_MAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 80.1.1.1 type ipsec-l2l
tunnel-group 80.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
!

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to osoriojoe

‎07-21-2015 12:59 AM

You might not have a route for 192.168.200.2 thus it was not able to locate the next hop for tunnel traffic.

Adding these static routes will cause all the traffic to be sent to internet's default gateway , including VPN and non VPN traffic.
So adding a route for 192.168.200.0 pointing to 80.1.1.X would have given the same results.

 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎07-19-2015 11:35 AM

It seems to be a routing issue.
Can you post the routing configuration from both sides?


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
osoriojoe
Level 1
Level 1
In response to Dinesh Moudgil

‎07-20-2015 10:32 PM

Once I added a static route outside on each asa the tunnel came up and I was able to ping across:

asa-1: route outside 0.0.0.0 0.0.0.0 80.1.1.2
asa-2: route outside 0.0.0.0 0.0.0.0 80.1.1.1

I guess I thought I didn't need this for some reason but it has resolved the issue.

0 Helpful

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to osoriojoe

‎07-21-2015 12:59 AM

You might not have a route for 192.168.200.2 thus it was not able to locate the next hop for tunnel traffic.

Adding these static routes will cause all the traffic to be sent to internet's default gateway , including VPN and non VPN traffic.
So adding a route for 192.168.200.0 pointing to 80.1.1.X would have given the same results.

 

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful
Customers Also Viewed These Support Documents