- Cisco Community
- Technology and Support
- Security
- VPN
- Site 2 Site VPN. Sonicwall to Cisco ASA 5505 issue.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2018 07:40 AM
Hi all, I hope you are able to assist me with my issue.
We have three firewalls:
Head office uses a Sonicwall NSA 2400.
Site 1 is a Cisco ASA 5505 running ASA version 9.2(4) and ASDM version 7.8(2).
Site 2 is a Cisco ASA 5505 running ASA version 9.1(1) and ASDM version 7.1(1).
I have set up site to site vpn so that all three sites can connect with each other but one route is not working.
Head office > Site 1 is fine
Head office > Site 2 does not work
Site 1 > Site 2 is fine
Site 1 > Head office is fine
Site 2 > Site 1 is fine
Site 2 > Head office is fine.
The setup on the sonicwall is the same for both sites so I can't see the issue being there. However, if the issue was at Site 2 then why would Site 1 be able to connect fine?
Has anyone had similar issues or information that could help me resolve this. Please let me know if you require any logs to help narrow this down.
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2018 09:31 AM
I've found the issue. Not sure how I kept missing it but realised that our secondary line at head office is on the same subnet as Site2. That conflict was causing the issue with Head office not connecting to Site2.
Thanks for your help and sorry for wasting your time!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2018 07:54 AM
What is the output of "show crypto isakmp sa" and "show crypto ipsec sa" for the tunnel between HO and Site 2?
You should check that the ACL for the interesting on the Site 2 ASA is 100% correct and also check that you have a NAT rule in place to NOT nat the traffic over the VPN tunnel (I assume you don't want to nat over the tunnel).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2018 08:23 AM
Thanks for the reply RJI.
Below are the results of the configuration. The results of the show cryptos will be in my next reply
The ACL looks okay and we do have a no NAT.
Result of the command: "sho run"
: Saved
:
ASA Version 9.1(1)
!
hostname xxx
enable password xxx encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd xxx encrypted
names
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan1
nameif Inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif Outside
security-level 0
ip address X.X.X.12 255.255.255.0
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
object network IS-19677_inside194
host 192.168.1.194
description IS-19677 Internal IP Global Zone
object network IS-19677_Outside20
host X.X.X.20
description IS-19677 external IP Global Zone
object network IS-19677_Outside26
host X.X.X.26
description IS-19677 external IP FS Zone
object network IS-19677_inside198
host 192.168.1.198
description IS-19677 Internal IP FS Zone
object network Office1
host X.X.X.135
description office
object service mysql
service tcp source range 1 65535 destination eq 3306
description mysql
object network IS-19677_Outside31
host X.X.X.31
description IS-19677 external IP UNUSED
object network IS-19677_Outside34
host X.X.X.34
description IS-19677 external IP AR Zone
object network IS-19677_inside66
host 192.168.1.66
description IS-19677 Internal IP UNUSED
object network Is-19677_inside67
host 192.168.1.67
description IS-19677 Internal IP AR Zone
object service SunRay1
service tcp source range 1 65535 destination range 7009 7011
description SunRay7009-11
object service SunRay2
service udp source range 1 65535 destination range 32768 65535
description sunRay2
object network IS-19677_inside205
host 192.168.1.205
description IS-19677 Internal IP Def Zone
object network IS-19677_inside206
host 192.168.1.206
description IS-19677 Internal IP GSPP Zone
object network IS-19677_Outside43
host X.X.X.43
description External IP Def zone
object network IS-19677_Inside210
host 192.168.1.210
description Internal Ash BC Zone
object network IS-19677_Outside48
host X.X.X.48
description External Ash BC zone
object network IS-19677_Outside36
host X.X.X.36
description IS-19677 external IP DA Zone
object network IS-19677_inside196
host 192.168.1.196
description IS-19677 Internal IP DA Zone
object service smtpssl
service tcp destination eq 465
object network Reserve_Server_Inside
host 192.168.1.112
description Reserve Server (IS-27791)
object network Reserve_Server_Outside
host X.X.X.11
description Reserve Server (IS-27791)
object network IS-48965_Server_Inside
host 192.168.1.49
description IS-48965_Server_Inside
object network IS-48965_Server_Outside
host X.X.X.49
description IS-48965_Server_Outside
object network IS-49038_Server_Inside
host 192.168.1.14
description IS-49038_Server_Inside
object network IS-49038_Server_Outside
host X.X.X.14
description IS-49038_Server_Outside
object network Reality_Servers_Inside
range 192.168.1.100 192.168.1.200
description Reality Servers (Render Nodes)
object network Reality_Servers_Outside
host X.X.X.92
description Virtual Machine and Reality Public IP
object network VM_Servers
range 192.168.1.100 192.168.1.149
description Virtual Servers
object network GSP_Server_Outside
host X.X.X.27
description GSP Server
object network GSR_Server_Outside
host X.X.X.28
description GSR Server
object network GSP_Server_Inside
host 192.168.1.110
description GSP_Server_Inside
object network GSR_Server_Inside
host 192.168.1.111
description GSR_Server_Inside
object network Eric_Primary_Reserve_Inside
host 192.168.1.150
description Primary G5 Inside
object network Eric_Primary_Reserve_Outside
host X.X.231.19
description Primary G5 Outside
object service ard5900
service tcp destination eq 5900
description ARD 5900
object service ard5988
service tcp destination eq 5988
description ARD 5988
object service afp
service tcp destination eq 548
description Appleshare
object network Office2
host X.X.X.18
description BT Backup Line IP
object network Apple_time_server
host 17.253.54.123
description To keep the time in sync
object network DNS_Google1
host 8.8.8.8
object network DNS_Google2
host 8.8.4.4
object network DNS_R1
host X.X.X.200
object network DNS_R2
host X.X.X.100
object network DNS_R3
host X.X.X.200
object network GS1
subnet X.X.X.0 255.255.255.0
description GS1
object network GS2
subnet X.X.X.0 255.255.255.0
description GS2
object network GS3
subnet X.X.X.0 255.255.255.0
description GS3
object network GS4
subnet X.X.X.0 255.255.255.0
description GS4
object network GS5
subnet X.X.X.0 255.255.255.0
description GS5
object network GS6
subnet X.X.X.0 255.255.255.224
description GS6
object network GS7
subnet X.X.X.0 255.255.255.224
description GS7
object network GS8
subnet X.X.X.224 255.255.255.248
description GS8
object network GS21
subnet X.X.X.0 255.255.255.0
description GS21
object network GS22
subnet X.X.X.0 255.255.255.0
description GS22
object network GS23
subnet X.X.X.0 255.255.255.0
description GS23
object network GS24
subnet X.X.X.0 255.255.255.0
description GS24
object network GS25
subnet X.X.X.0 255.255.255.0
description GS25
object network GS26
subnet X.X.X.0 255.255.255.0
description GS26
object network GS31
subnet X.X.X.0 255.255.255.0
description GS31
object network GS32
subnet X.X.X.0 255.255.255.0
description GS32
object network GS33
host X.X.X.38
description GS33
object network GS34
subnet X.X.X.0 255.255.255.240
description GS34
object network GS35
subnet X.X.X.32 255.255.255.224
description GS35
object network GS41
subnet X.X.X.0 255.255.255.0
description GS41
object network Site1
subnet 10.49.0.0 255.255.0.0
object network Site2
subnet 192.168.1.0 255.255.255.0
object network Head_Office_LAN
subnet 10.50.0.0 255.255.0.0
object network Head_Office_DMZ
subnet 192.168.201.0 255.255.255.0
object-group network Head_Office_Group
description Contains LAN and DMZ networks
network-object object Head_Office_DMZ
network-object object Head_Office_LAN
object-group network OfficeGroup
network-object object Office1
network-object object Office2
object-group network DM_INLINE_NETWORK_1
group-object OfficeGroup
object-group service DM_INLINE_SERVICE_2
service-object object afp
service-object object ard5900
service-object object ard5988
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_2
group-object OfficeGroup
object-group network DM_INLINE_NETWORK_3
group-object OfficeGroup
object-group network DM_INLINE_NETWORK_4
network-object object Eric_Primary_Reserve_Inside
network-object object GSP_Server_Inside
network-object object GSR_Server_Inside
network-object object IS-48965_Server_Inside
network-object object IS-49038_Server_Inside
object-group network DM_INLINE_NETWORK_5
group-object OfficeGroup
object-group network DM_INLINE_NETWORK_6
network-object object Eric_Primary_Reserve_Inside
network-object object GSP_Server_Inside
network-object object GSR_Server_Inside
network-object object IS-48965_Server_Inside
network-object object IS-49038_Server_Inside
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group network DM_INLINE_NETWORK_10
network-object object GSP_Server_Inside
network-object object GSR_Server_Inside
object-group network GSGroup
description GSGroup
network-object object GS1
network-object object GS2
network-object object GS3
network-object object GS4
network-object object GS5
network-object object GS6
network-object object GS7
network-object object GS8
network-object object GS21
network-object object GS22
network-object object GS23
network-object object GS24
network-object object GS25
network-object object GS26
network-object object GS31
network-object object GS32
network-object object GS33
network-object object GS34
network-object object GS35
network-object object GS41
object-group network DM_INLINE_NETWORK_7
group-object OfficeGroup
group-object GSGroup
object-group network DM_INLINE_NETWORK_8
network-object object GSP_Server_Inside
network-object object GSR_Server_Inside
object-group network DM_INLINE_NETWORK_9
group-object OfficeGroup
group-object GSGroup
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
object-group network DNS
network-object object DNS_Google1
network-object object DNS_Google2
network-object object DNS_R1
network-object object DNS_R2
network-object object DNS_R3
object-group service DM_INLINE_TCP_5 tcp
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_11
group-object OfficeGroup
object-group network DM_INLINE_NETWORK_12
group-object OfficeGroup
object-group service DM_INLINE_TCP_6 tcp
port-object eq www
port-object eq https
port-object eq ssh
object-group network DM_INLINE_NETWORK_13
group-object OfficeGroup
object-group service DM_INLINE_SERVICE_4
service-object object afp
service-object object ard5900
service-object object ard5988
object-group service DM_INLINE_TCP_7 tcp
port-object eq www
port-object eq https
port-object eq ssh
access-list basic extended permit icmp any any echo
access-list basic extended permit tcp object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10 object-group DM_INLINE_TCP_4
access-list basic extended permit tcp object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_6 eq ssh
access-list basic extended permit tcp object-group DM_INLINE_NETWORK_2 object IS-19677_Inside210 object-group DM_INLINE_TCP_7
access-list basic extended permit object-group DM_INLINE_SERVICE_4 object-group DM_INLINE_NETWORK_13 object Eric_Primary_Reserve_Inside
access-list basic extended permit tcp object-group GSGroup object GSP_Server_Inside eq ssh
access-list basic extended permit tcp object-group DM_INLINE_NETWORK_11 object Reserve_Server_Inside object-group DM_INLINE_TCP_5
access-list allow extended permit ip any any
access-list allow extended permit tcp object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_TCP_3
access-list allow extended permit tcp object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_4 eq ssh
access-list allow extended permit tcp object-group DM_INLINE_NETWORK_12 object IS-19677_Inside210 object-group DM_INLINE_TCP_6
access-list allow extended permit object-group DM_INLINE_SERVICE_2 object-group DM_INLINE_NETWORK_1 object Eric_Primary_Reserve_Inside
access-list allow extended permit tcp object-group GSGroup object GSP_Server_Inside eq ssh
access-list Outside_cryptomap extended permit object-group DM_INLINE_PROTOCOL_2 object Site2 object-group Head_Office_Group
access-list Outside_cryptomap_1 extended permit ip object Site2 object Site1
pager lines 24
logging enable
logging asdm informational
mtu Inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside,Outside) source static Site2 Site2 destination static Head_Office_Group Head_Office_Group no-proxy-arp route-lookup
nat (Inside,Outside) source static Site2 Site2 destination static Site1 Site1 no-proxy-arp route-lookup
nat (Inside,Outside) source static IS-19677_inside194 IS-19677_Outside20
nat (Inside,Outside) source static IS-48965_Server_Inside IS-48965_Server_Outside
nat (Inside,Outside) source static IS-49038_Server_Inside IS-49038_Server_Outside
nat (Inside,Outside) source static Reserve_Server_Inside Reserve_Server_Outside
nat (Inside,Outside) source static GSP_Server_Inside GSP_Server_Outside
nat (Inside,Outside) source static GSR_Server_Inside GSR_Server_Outside
nat (Inside,Outside) source static IS-19677_inside198 IS-19677_Outside26
nat (Inside,Outside) source static IS-19677_inside66 IS-19677_Outside31
nat (Inside,Outside) source static Is-19677_inside67 IS-19677_Outside34
nat (Inside,Outside) source static IS-19677_inside205 IS-19677_Outside43
nat (Inside,Outside) source static IS-19677_Inside210 IS-19677_Outside48
nat (Inside,Outside) source static IS-19677_inside196 IS-19677_Outside36
nat (Inside,Outside) source static Eric_Primary_Reserve_Inside Eric_Primary_Reserve_Outside
!
object network Reality_Servers_Inside
nat (any,any) dynamic Reality_Servers_Outside
access-group allow in interface Inside
access-group allow out interface Inside
access-group basic in interface Outside
access-group allow out interface Outside
route Outside 0.0.0.0 0.0.0.0 X.X.231.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http X.X.X.135 255.255.255.255 Outside
http X.X.X.18 255.255.255.255 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set pfs
crypto map Outside_map 1 set peer X.X.X.135
crypto map Outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map Outside_map 2 match address Outside_cryptomap_1
crypto map Outside_map 2 set pfs
crypto map Outside_map 2 set peer X.X.X.198
crypto map Outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map Outside_map interface Outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev1 enable Outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh X.X.X.135 255.255.255.255 Outside
ssh X.X.X.18 255.255.255.255 Outside
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server X.X.48.2 source Outside
ntp server X.X.75.28 source Outside
group-policy GroupPolicy_X.X.X.198 internal
group-policy GroupPolicy_X.X.X.198 attributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_X.X.X.135 internal
group-policy GroupPolicy_X.X.X.135 attributes
vpn-tunnel-protocol ikev2
username admin password MXeW/52ii2l4R//j encrypted privilege 15
tunnel-group X.X.X.135 type ipsec-l2l
tunnel-group X.X.X.135 general-attributes
default-group-policy GroupPolicy_X.X.X.135
tunnel-group X.X.X.135 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group X.X.X.198 type ipsec-l2l
tunnel-group X.X.X.198 general-attributes
default-group-policy GroupPolicy_X.X.X.198
tunnel-group X.X.X.198 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:ffffffffff
: end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-04-2018 08:26 AM
Result of the command: "show crypto isakmp sa"
There are no IKEv1 SAs
There are no IKEv2 SAs
Result of the command: "show crypto ipsec sa"
The command has been sent to the device
HOWEVER, if I connect from Site 2 to the Head office and re-run those commands, I get.
Result of the command: "show crypto isakmp sa"
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:435, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
1649192869 X.X.X.12/4500 X.X.X.135/4500 READY INITIATOR
Encr: 3DES, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/8 sec
Child sa: local selector 192.168.1.0/0 - 192.168.1.255/65535
remote selector 10.50.0.0/0 - 10.50.255.255/65535
ESP spi in/out: 0x28aafcb3/0xef106f52
Result of the command: "show crypto ipsec sa"
interface: Outside
Crypto map tag: Outside_map, seq num: 1, local addr: X.X.X1.12
access-list Outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 10.50.0.0 255.255.0.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.50.0.0/255.255.0.0/0/0)
current_peer: X.X.X.135
#pkts encaps: 22, #pkts encrypt: 22, #pkts digest: 22
#pkts decaps: 22, #pkts decrypt: 22, #pkts verify: 22
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 22, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: X.X.X.12/4500, remote crypto endpt.: X.X.X.135/4500
path mtu 1500, ipsec overhead 66(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: EF106F52
current inbound spi : 28AAFCB3
inbound esp sas:
spi: 0x28AAFCB3 (682294451)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv2, }
slot: 0, conn_id: 4456448, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (3962878/28777)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x007FFFFF
outbound esp sas:
spi: 0xEF106F52 (4010831698)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 2, IKEv2, }
slot: 0, conn_id: 4456448, crypto-map: Outside_map
sa timing: remaining key lifetime (kB/sec): (4101118/28777)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2018 06:32 AM
Hi guys,
Can anyone shed any light on this issue. I can't think what else it could be!
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2018 07:07 AM
How are you testing connectivity? Do you have a PC connected either end and pinging through the VPN?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2018 07:29 AM
The VPN config on the Sonicwall is identical (apart from the destination IP address) for Site1 and Site2.
Access rules are also identical. They are currently just a simple Allow all traffic from LAN at HO to Site1 over VPN and the same to Site2.
I'm testing via a ping to the firewall and to a server at Site2. Have also tried connecting to the server via an open port.
I cannot ping Site2 from HO (my desktop to server/firewall) but can ping HO from Site2 (server to my desktop).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2018 08:06 AM
What does a debug on the sonicwall reveal?
Can you provide the sonicwall configuration for review?
Can you run setup a packet capture on either end of the VPN and generate some traffic.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-06-2018 09:31 AM
I've found the issue. Not sure how I kept missing it but realised that our secondary line at head office is on the same subnet as Site2. That conflict was causing the issue with Head office not connecting to Site2.
Thanks for your help and sorry for wasting your time!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide