Site to Site between two ASA devices only works for one subnets pair.

morabusa · ‎06-24-2020

Hi, I am having a weird issue where I cannot add more networks to encryption domain in the site to site because, because then it only works for one.

My current scenario:

Site A - Encryption domain: 192.168.1.0/24

Site B - Encryption domain: 192.168.2.0/24

Then if I add a new network in the Site A encryption Domain (for example, 10.10.10.0/24)., it does not work and it only works for the first network (I have also added the new network in the remote encryption domain in Site B).

when I run a show crypto ipsec sa in Site A, I can see how I encrypt and decrypt packets for the new network but in Site B, I just can see encrypted packets but not decrypted.

I know that it looks like a routing or nat issue but it is not the caso. Take in mind that if I remove network 192.168.1.0/24 from Site A and just add the new network 10.10.10.0/24, it works correctly.

is there something which could explain this weird behavior? Thanks!

Rob Ingram · ‎06-24-2020

Hi,

Perhaps a NAT issue, do you have a NAT exemption rule for this new network?

Please provide your NAT, crypto ACL configuration and the output of “show crypto ipsec sa”

HTH

morabusa · ‎06-24-2020

Hi Rob,

Thanks for answer. Take in mind that the new added network in encryption domain works if I remove the old one, so I do not really think it is something related to nat. It looks like a bug for me but it worked properly before after the device getting restarted. Please check this output:

SiteB# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 192.168.50.1

access-list outside_cryptomap extended permit ip host 10.50.96.19 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (10.50.96.19/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 80.80.80.1

#pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.50.1/4500, remote crypto endpt.: 80.80.80.1/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 5DA123AB
current inbound spi : 21737402

inbound esp sas:
spi: 0x21737402 (561214466)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3915000/28281)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x5DA123AB (1570841515)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914999/28280)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Crypto map tag: outside_map, seq num: 1, local addr: 192.168.50.1

access-list outside_cryptomap extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 80.80.80.1

#pkts encaps: 265, #pkts encrypt: 265, #pkts digest: 265
#pkts decaps: 259, #pkts decrypt: 259, #pkts verify: 259
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 265, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.50.1/4500, remote crypto endpt.: 80.80.80.1/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: BA03253C
current inbound spi : 5A5D4624

inbound esp sas:
spi: 0x5A5D4624 (1516062244)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914984/28244)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xBA03253C (3120768316)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv1, }
slot: 0, conn_id: 8192, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914984/28244)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

As you can see, there is 0 packets decrypted between 10.50.96.19 - 192.168.10.0/24.

Then you can see how traffic is working properly between 192.168.11.0/24 - 192.168.10.0/24.

Then if I remove the subnet 192.168.11.0/24 from encryption domain, then the traffic between 10.50.96.19 - 192.168.10.0/24 starts working properly and I can see encrypted and decrypted packets.

Then if I add again the 192.168.11.0/24, the traffic between 192.168.11.0/24 - 192.168.10.0/24 does not work (except if I remove the subnet 10.50.96.19.

Take in mind that this happens for any new network added and I have tried with different ones which are not being used. Any idea about what could be causing this issue? Thanks!

Rob Ingram · ‎06-24-2020

Ok, sounds strange.
Can you provide the output of "show crypto ipsec sa" from the other peer device?
Can you run packet-tracer from the CLI to simulate traffic and provide the output please