08-08-2011 03:25 AM
All,
I have created a second site-to-site VPN connection from my remote site to another site and I have the following issue when I ping from Site B to Site A:
"Routing failed to locate next hop for icmp from NP Identity...."
If I ping from site A to site B and view the realtime log, the ping gets through on the Realtime Log, but I get a "request time out" on the source end.
Here is the copy of the second site-to-site VPN config (Site A is 172.16.40.0 and Site B is 172.16.50.0):
access-list inside-test_access_in extended permit ip 172.16.50.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list inside-test_access_in extended permit ip 172.16.40.0 255.255.255.0 172.16.50.0 255.255.255.0
access-list inside-test_access_in extended permit ip any any
access-list inside-test_access_in extended permit icmp any any echo
access-list inside-test_access_in extended permit icmp any any echo-reply
access-list inside-test_access_in extended deny ip any any
access-list outside_nat0_outbound extended permit ip 172.16.50.0 255.255.255.0 172.16.40.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 172.16.50.0 255.255.255.0 172.16.40.0 255.255.255.0
nat (inside-test) 0 access-list outside_nat0_outbound
nat (inside-test) 1 0.0.0.0 0.0.0.0
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer X.X.X.X
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 2 set security-association lifetime seconds 3600
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key *
Any one have any ideas?
08-08-2011 06:33 AM
Try adding a static route on Site A to ASA in Site B using Site B's public IP as the gateway-
route outside 172.16.50.0 255.255.255.0 [site B vpn end point]
08-08-2011 08:00 AM
The Site A Box (Juniper SSG5) does not let me add a default gw on a different network.
If I monitor the connection when it comes up, i get the following error:
4 | Aug 08 2011 | 15:44:24 | 402116 | SiteAPublicIP | SiteBPublicIP | IPSEC: Received an ESP packet (SPI= 0xBBADD0EE, sequence number= 0x1A) from SiteAPublicIP (user= X.X.X.X) to SiteBPublicIP. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as SiteBPublicIP, its source as SiteAPublicIP, and its protocol as 1. The SA specifies its local proxy as 172.16.50.0/255.255.255.0/0/0 and its remote_proxy as 172.16.40.0/255.255.255.0/0/0. |
Ive double-checked the "interesting" traffic rule on the ASA and it looks fine. I'm assuming I haven't got it wrong on the Juniper and get this in the log:
2011-08-08 15:40:57
info
IKE 109.174.176.66 Phase 2 msg ID f6d6e8af: Completed negotiations with SPI c186a3ee, tunnel ID 1, and lifetime 3600 seconds/0 KB.
2011-08-08 15:40:57
info
IKE 109.174.176.66 Phase 2: Initiated negotiations.
2011-08-08 15:40:57
info
IKE 109.174.176.66 Phase 1: Completed Main mode negotiations with a 28800-second lifetime.
Do you have any ideas?
08-09-2011 01:03 AM
Does anyone have any ideas?
08-09-2011 05:31 AM
You may want to visit Juniper forums and see if they can help.
08-12-2011 04:11 AM
I ditched the Juniper as I didn't get any answers on the forums and in its place have put a cisco 877. Again, the tunnel comes back but the ASA cannot route back down the tunnel.
If i run show crypto ipsec sa on the ASA I get this:
Crypto map tag: outside_map, seq num: 2, local addr: PublicIPSiteB
access-list outside_2_cryptomap permit ip 172.16.50.0 255.255.255.0 172.16.40.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.50.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.40.0/255.255.255.0/0/0)
current_peer: PublicIPSiteA
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 57, #pkts decrypt: 57, #pkts verify: 57
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: SiteBPublicIP, remote crypto endpt.: SiteAPublicIP
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 3B937781
inbound esp sas:
spi: 0x34A136FC (882980604)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 152, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (92773/3365)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3B937781 (999520129)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 152, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (92773/3365)
IV size: 8 bytes
replay detection support: Y
As per the above, I think that packets are reaching the ASA (Site B), but when you ping back from SiteB to A you get:
6 | Aug 12 2011 | 12:03:07 | 110003 | Routing failed to locate next hop for icmp from NP Identity Ifc:172.16.50.254/0 to inside-test:172.16.40.254/0 |
I have the following VLANS set up on the ASA
interface Vlan1 (this is the first site-to-site-vpn)
nameif inside
security-level 100
ip address 10.0.64.1 255.255.224.0
!
interface Vlan2
nameif outside
security-level 0
ip address SiteBPublicIP
!
interface Vlan3
nameif dmz
security-level 50
ip address dhcp
!
interface Vlan15
nameif inside-test (For second site-to-site VPN)
security-level 100
ip address 172.16.50.254 255.255.255.0
Do I have to do anything to the VLANS to get inside-test to route outside over the VPN?
i've tried route outside 172.16.40.0 255.255.255.0 SiteAPublicIP which doesn't have any effect.
Cheers
08-24-2011 01:48 PM
Try adding a route on the ASA like this:
route outside 172.16.40.0 255.255.255.0 ISP_Gateway instead of SiteAPublicIP.
Let me know how it goes!
Regards,
Prapanch
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide