Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1743
Views
0
Helpful
6
Replies

Second Site-to-Site VPN Connection

ICT-Support
Level 1
Level 1

‎08-08-2011 03:25 AM

All,

I have created a second site-to-site VPN connection from my remote site to another site and I have the following issue when I ping from Site B to Site A:

"Routing failed to locate next hop for icmp from NP Identity...."

If I ping from site A to site B and view the realtime log, the ping gets through on the Realtime Log, but I get a "request time out" on the source end.

Here is the copy of the second site-to-site VPN config (Site A is 172.16.40.0 and Site B is 172.16.50.0):

access-list inside-test_access_in extended permit ip 172.16.50.0 255.255.255.0 172.16.40.0 255.255.255.0

access-list inside-test_access_in extended permit ip 172.16.40.0 255.255.255.0 172.16.50.0 255.255.255.0

access-list inside-test_access_in extended permit ip any any

access-list inside-test_access_in extended permit icmp any any echo

access-list inside-test_access_in extended permit icmp any any echo-reply

access-list inside-test_access_in extended deny ip any any

access-list outside_nat0_outbound extended permit ip 172.16.50.0 255.255.255.0 172.16.40.0 255.255.255.0

access-list outside_2_cryptomap extended permit ip 172.16.50.0 255.255.255.0 172.16.40.0 255.255.255.0

nat (inside-test) 0 access-list outside_nat0_outbound

nat (inside-test) 1 0.0.0.0 0.0.0.0

crypto map outside_map 2 match address outside_2_cryptomap

crypto map outside_map 2 set pfs

crypto map outside_map 2 set peer X.X.X.X

crypto map outside_map 2 set transform-set ESP-3DES-SHA

crypto map outside_map 2 set security-association lifetime seconds 3600

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X ipsec-attributes

pre-shared-key *

Any one have any ideas?

Labels:
0 Helpful
6 Replies 6

Collin Clark
VIP Alumni
VIP Alumni

‎08-08-2011 06:33 AM

Try adding a static route on Site A to ASA in Site B using Site B's public IP as the gateway-

route outside 172.16.50.0 255.255.255.0 [site B vpn end point]

0 Helpful

ICT-Support
Level 1
Level 1
In response to Collin Clark

‎08-08-2011 08:00 AM

The Site A Box (Juniper SSG5) does not let me add a default gw on a different network.

If I monitor the connection when it comes up, i get the following error:

4Aug 08 201115:44:24402116SiteAPublicIPSiteBPublicIPIPSEC: Received an ESP packet (SPI= 0xBBADD0EE, sequence number= 0x1A) from SiteAPublicIP (user= X.X.X.X) to SiteBPublicIP. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as SiteBPublicIP, its source as SiteAPublicIP, and its protocol as 1. The SA specifies its local proxy as 172.16.50.0/255.255.255.0/0/0 and its remote_proxy as 172.16.40.0/255.255.255.0/0/0.


Ive double-checked the "interesting" traffic rule on the ASA and it looks fine. I'm assuming I haven't got it wrong on the Juniper and get this in the log:

2011-08-08 15:40:57

info

IKE 109.174.176.66 Phase 2 msg ID f6d6e8af: Completed negotiations with SPI c186a3ee, tunnel ID 1, and lifetime 3600 seconds/0 KB.

2011-08-08 15:40:57

info

IKE 109.174.176.66 Phase 2: Initiated negotiations.

2011-08-08 15:40:57

info

IKE 109.174.176.66 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.

Do you have any ideas?

0 Helpful

ICT-Support
Level 1
Level 1
In response to ICT-Support

‎08-09-2011 01:03 AM

Does anyone have any ideas?

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to ICT-Support

‎08-09-2011 05:31 AM

You may want to visit Juniper forums and see if they can help.

0 Helpful

ICT-Support
Level 1
Level 1

‎08-12-2011 04:11 AM

I ditched the Juniper as I didn't get any answers on the forums and in its place have put a cisco 877. Again, the tunnel comes back but the ASA cannot route back down the tunnel.

If i run show crypto ipsec sa on the ASA I get this:

   Crypto map tag: outside_map, seq num: 2, local addr: PublicIPSiteB

      access-list outside_2_cryptomap permit ip 172.16.50.0 255.255.255.0 172.16.40.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.50.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.16.40.0/255.255.255.0/0/0)
      current_peer: PublicIPSiteA

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 57, #pkts decrypt: 57, #pkts verify: 57
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: SiteBPublicIP, remote crypto endpt.: SiteAPublicIP

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 3B937781

    inbound esp sas:
      spi: 0x34A136FC (882980604)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 152, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (92773/3365)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x3B937781 (999520129)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 152, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (92773/3365)
         IV size: 8 bytes
         replay detection support: Y

As per the above, I think that packets are reaching the ASA (Site B), but when you ping back from SiteB to A you get:

6Aug 12 201112:03:07110003Routing failed to locate next hop for icmp from NP Identity Ifc:172.16.50.254/0 to inside-test:172.16.40.254/0

I have the following VLANS set up on the ASA

interface Vlan1 (this is the first site-to-site-vpn)

nameif inside

security-level 100

ip address 10.0.64.1 255.255.224.0

!

interface Vlan2

nameif outside

security-level 0

ip address SiteBPublicIP

!

interface Vlan3

nameif dmz

security-level 50

ip address dhcp

!

interface Vlan15

nameif inside-test (For second site-to-site VPN)

security-level 100

ip address 172.16.50.254 255.255.255.0

Do I have to do anything to the VLANS to get inside-test to route outside over the VPN?

i've tried route outside 172.16.40.0 255.255.255.0 SiteAPublicIP which doesn't have any effect.

Cheers

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to ICT-Support

‎08-24-2011 01:48 PM

Try adding a route on the ASA like this:

route outside 172.16.40.0 255.255.255.0 ISP_Gateway instead of SiteAPublicIP.

Let me know how it goes!

Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents