cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
826
Views
0
Helpful
9
Replies

Site 2 site VPN on Cisco ASA 5512

saroj pradhan
Level 1
Level 1

Hello Team,

i have configured  Site 2 site VPN on my  cisco ASA 5512 ,when i  run the packet trace got the following Error.

please find the details.

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 49.248.250.97, outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

9 Replies 9

saroj pradhan
Level 1
Level 1

Hello Team,

when i  run the packet tarce using  one ip address of my  internal network and got the floowing result.please help .

axletech# packet-tracer input inside icmp 10.0.96.32 0 0 10.0.193.11

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 49.248.250.97, outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static inside-network inside-network no-proxy-arp route-lookup
Additional Information:
Static translate 10.0.96.32/0 to 10.0.96.32/0

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hi Saroj,

Please run this command twice and let us know how it fares:
packet-tracer input inside icmp 10.0.96.32 8 0 10.0.193.11 detailed

Also share the output of :-
show crypto isakmp sa
show crypto ipsec sa

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Hello Dinesh ,

please find the report .no changes .

xletech# show crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs

axletech# show crypto ipsec sa

There are no ipsec sas

axletech# packet-tracer input inside icmp 10.0.96.32 8 0 10.0.193.11

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 49.248.250.97, outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static inside-network inside-network no-proxy-arp route-lookup
Additional Information:
Static translate 10.0.96.32/0 to 10.0.96.32/0

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

axletech# packet-tracer input inside icmp 10.0.96.32 8 0 10.0.193.11

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 49.248.250.97, outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static inside-network inside-network no-proxy-arp route-lookup
Additional Information:
Static translate 10.0.96.32/0 to 10.0.96.32/0

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Please run the debug commands and share the output:-

debug crypto condition peer 63.124.2.202
debug crypto isakmp 200
debug crypto ipsec 200

Can you confirm what is the remote side?

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

The  remote VPN IP is on 63.124.2.202 and icmp is blocked.

please find the debug.

axletech# packet-tracer input inside icmp 10.0.96.32 0 8 10.0.193.11

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 49.248.250.97, outside

Phase: 2
Nov 14 13:25:37 [IKEv1]Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit object-group DM_INLINE_PROTO COL_2 any any
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
Additional Information:
IP = 63.124.2.202, IKE Initiator: New Phase 1, Intf inside, IKE Peer 63.1 24.2.202 local Proxy Address 10.0.96.0, remote Proxy Address 0.0.0.0, C rypto map (outside_map)

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
<--- More --->Nov 14 13:25:37 [IKEv1 DEBUG]IP = 63.124.2.202, constructin g ISAKMP SA payload
Nov 14 13:25:37 [IKEv1 DEBUG]IP = 63.124.2.202, constructing NAT-Traversa l VID ver 02 payload
Nov 14 13:25:37 [IKEv1 DEBUG]IP = 63.124.2.202, constructing NAT-Traversa l VID ver 03 payload
Nov 14 13:25:37 [IKEv1 DEBUG]IP = 63.124.2.202, constructing NAT-Traversa l VID ver RFC payload
Nov 14 13:25:37 [IKEv1 DEBUG]IP = 63.124.2.202, constructing Fragmentatio n VID + extended capabilities payload
Nov 14 13:25:37 [IKEv1]IP = 63.124.2.202, IKE_DECODE SENDING Message (msg id=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR ( 13) + VENDOR (13) + NONE (0) total length : 172
Config:
nat (inside,outside) source static inside-network inside-network no-proxy -arp route-lookup
Additional Information:
Static translate 10.0.96.32/0 to 10.0.96.32/0

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: np-inspect
<--- More --->Nov 14 13:25:45 [IKEv1]IP = 63.124.2.202, IKE_DECODE RESEND ING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

axletech# Nov 14 13:25:53 [IKEv1]IP = 63.124.2.202, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13 ) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172

axletech#
axletech#
axletech# Nov 14 13:26:01 [IKEv1]IP = 63.124.2.202, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 172
Nov 14 13:26:09 [IKEv1 DEBUG]IP = 63.124.2.202, IKE MM Initiator FSM error history (struct &0x00007fff9ab1d940) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Nov 14 13:26:09 [IKEv1 DEBUG]IP = 63.124.2.202, IKE SA MM:64c26d7d terminating: flags 0x01000022, refcnt 0, tuncnt 0
Nov 14 13:26:09 [IKEv1 DEBUG]IP = 63.124.2.202, sending delete/delete with reason message

Looking at the debugs:

Nov 14 13:25:37 [IKEv1]IP = 63.124.2.202, IKE_DECODE SENDING
Nov 14 13:25:45 [IKEv1]IP = 63.124.2.202, IKE_DECODE RESENDING
Nov 14 13:25:53 [IKEv1]IP = 63.124.2.202, IKE_DECODE RESENDING
Nov 14 13:26:01 [IKEv1]IP = 63.124.2.202, IKE_DECODE RESENDING

Nov 14 13:26:09 [IKEv1 DEBUG]IP = 63.124.2.202, IKE MM Initiator FSM error history

We are trying to communicate to remote peer but are not able to send the packets.
Couple of points to ponder:-

1. Make sure UDP 500 is allowed in between the VPN peers.
2. Take captures on outside interface on both sides to confirm the UDP 500 packets are reaching the VPN endpoints.


Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

when i  run the capture on the ASA got the following output.

axletech# capture vpn interface outside match udp host 49.248.250.98 host 63.1$

axletech# show capture vpn

0 packet captured

0 packet shown

Hello Dinesh,

is the Sire 2 site VPN configure on Cisco 5512 is  having all require config or missing any confiig ?

how  to capture the udp port between the device out side interface?

Regards,

Saroj

This is the command syntax.

capture capture_name interface outside match udp host 49.248.250.98  host 63.124.2.202 eq 500

On remote side, revert the source and destination.

Verify the outputs via 
show cap <capture_name>

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/