Site to Site, Rx but no Tx

daveklatka · ‎11-17-2016

I have a 5512 in a datacenter and a 5505 at an office. I've got a site to site that is connecting but looking at the session in monitoring its showing one way traffic. i've tried recreating the site to site multiple times. I've also combed through and removed anything that was related to the site to site (network objects and any left over entries) before recreating the site to site but still have one way traffic. any help would be appreciated.

The site to site i'm having issues with is the one to 209.221.9.34, inside range is 10.2.13.0/24

Local network is inside 192.168.34.10/24

Richard Burts · ‎11-17-2016

Would you post the output of show route and perhaps the output of an attempt to traceroute to some address in 10.2.13.0? I would like to verify that the traffic does use the Windstream interface for those destinations.

HTH

Rick

HTH

Rick

daveklatka · ‎11-19-2016

CELTWB-ASA# show route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 173.188.77.65 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [128/0] via 173.188.77.65, outside-Windstream
C        70.61.41.248 255.255.255.252 is directly connected, outside-TWC
L        70.61.41.250 255.255.255.255 is directly connected, outside-TWC
C        173.188.77.64 255.255.255.248
           is directly connected, outside-Windstream
L        173.188.77.67 255.255.255.255
           is directly connected, outside-Windstream
C        192.168.1.0 255.255.255.0 is directly connected, Intuitive(VLAN6)
L        192.168.1.1 255.255.255.255 is directly connected, Intuitive(VLAN6)
C        192.168.18.0 255.255.255.0 is directly connected, Guest
L        192.168.18.1 255.255.255.255 is directly connected, Guest
C        192.168.34.0 255.255.255.0 is directly connected, inside
L        192.168.34.1 255.255.255.255 is directly connected, inside

CELTWB-ASA# traceroute 10.2.13.10

Type escape sequence to abort.
Tracing the route to 10.2.13.10

1 h65.77.188.173.static.ip.windstream.net (173.188.77.65) 10 msec 0 msec 0 mse             c
2 xe2-3-1-0.agr03.hdsn01-oh.us.windstream.net (151.213.254.66) 0 msec 0 msec 0              msec
3 et9-0-0-0.cr01.cley01-oh.us.windstream.net (40.136.97.135) 0 msec 0 msec 0 m             sec
4 et11-0-0-0.cr01.chcg01-il.us.windstream.net (40.128.248.71) 10 msec 10 msec              10 msec
5 et5-0-0-0.cr02.chcg01-il.us.windstream.net (40.128.10.145) 10 msec 10 msec 1             0 msec
6 et5-0-0-0.cr01.atln01-ga.us.windstream.net (40.128.10.137) 30 msec 30 msec 3             0 msec
7 et5-0-0-0.pe03.atln01-ga.us.windstream.net (40.132.58.197) 40 msec 30 msec 3             0 msec
8 xe0-0-1-0.agr03.tamq01-fl.us.windstream.net (40.128.249.139) 50 msec 50 msec              50 msec
9 gi-1-26.agr01.srst01-fl.us.windstream.net (40.136.116.217) 70 msec 70 msec 7             0 msec
10 gi0-1.pe01.srst01-fl.us.windstream.net (173.221.1.51) 60 msec 70 msec 70 mse             c
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

Richard Burts · ‎11-20-2016

Thanks for the information. I have checked the config and do not see an issue that would explain the symptoms that you describe. Would you post the output of the command

show crypto IPsec sa peer 209.221.9.34

And can you confirm that the inside network has a correct route for 10.2.13.0 that forwards it to your ASA?

HTH

Rick

HTH

Rick

daveklatka · ‎11-21-2016

Thank you for looking at this for me.

Here is the info you requested.

CELTWB-ASA# show crypto IPsec sa peer 209.221.9.34
peer address: 209.221.9.34
Crypto map tag: outside-Windstream_map, seq num: 2, local addr: 173.188.77.67

      access-list outside-Windstream_cryptomap_1 extended permit ip 192.168.34.0 255.255.255.0 10.2.13.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.34.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.2.13.0/255.255.255.0/0/0)
      current_peer: 209.221.9.34

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 958, #pkts decrypt: 958, #pkts verify: 958
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 173.188.77.67/500, remote crypto endpt.: 209.221.9.34/500
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: AD75413F
      current inbound spi : A9F288EB

    inbound esp sas:
      spi: 0xA9F288EB (2851244267)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 405504, crypto-map: outside-Windstream_map
         sa timing: remaining key lifetime (kB/sec): (3916749/12750)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xAD75413F (2910142783)
         transform: esp-des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 405504, crypto-map: outside-Windstream_map
         sa timing: remaining key lifetime (kB/sec): (4239360/12750)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Richard Burts · ‎11-21-2016

Thank you for the output of show crypto IPsec sa peer. Can you confirm that your inside network has a route for the 10.2.13.0 network? Can you post the output of an attempt from a device in your inside network to traceroute (or tracert for Windows) to an address in the 10.2.13.0 network?

HTH

Rick

HTH

Rick

daveklatka · ‎11-21-2016

I did a tracert from a known working site to site. then the failing site to site after that.

as for the 'confirm route' other than checking the NAT rules, which its there, I'm not sure where you want me to look.

C:\Users\ltech.dklatka>tracert 192.168.24.10

Tracing route to celsrv-tempdc01.celabs.local [192.168.24.10]
over a maximum of 30 hops:

1 92 ms 88 ms 93 ms celsrv-tempdc01.celabs.local [192.168.24.10]

Trace complete.

C:\Users\ltech.dklatka>tracert 10.2.13.10

Tracing route to 10.2.13.10 over a maximum of 30 hops

1     *        *        *     Request timed out.
2     *        *        *     Request timed out.
3     *        *        *     Request timed out.
4     *        *        *     Request timed out.
5     *        *        *     Request timed out.
6     *        *        *     Request timed out.
7     *        *        *     Request timed out.
8     *        *        *     Request timed out.
9     *        *        *     Request timed out.
10     *        *        *     Request timed out.
11     *        *        *     Request timed out.
12     *        *        *     Request timed out.
13     *        *        *     Request timed out.
14     *        *        *     Request timed out.
15     *        *        *     Request timed out.
16     *        *        *     Request timed out.
17     *        *        *     Request timed out.
18     *        *        *     Request timed out.
19     *        *        *     Request timed out.
20     *        *        *     Request timed out.
21     *        *        *     Request timed out.
22     *        *        *     Request timed out.
23     *        *        *     Request timed out.
24     *        *        *     Request timed out.
25     *        *        *     Request timed out.
26     *        *        *     Request timed out.
27     *        *        *     Request timed out.
28     *        *        *     Request timed out.
29     *        *        *     Request timed out.
30     *        *        *     Request timed out.

Trace complete.

Richard Burts · ‎11-21-2016

Since I do not know the topology of your network it is difficult to know specifically how to ask. But let me try it this way:

- what is the default gateway for the PC from which you did the tracert?

- on that device that is the default gateway for your PC does its route table have an entry for 10.2.13.0?

HTH

Rick

HTH

Rick

daveklatka · ‎11-21-2016

the default gateway for the network is the ASA 5505 (192.168.34.1)

The only place I can find the 10.2.13.0 is in the NAT Rules. It specifies all traffic coming from 192.168.34.0/24 to 10.2.13.0/24 NAT to outside-winstream. This is the same for 2 other site to sites we have and they are sending just fine.

Richard Burts · ‎11-21-2016

Two more things to try.

- would you post the output of route print from your PC?

- would you enable logging buffered and provide a decent size buffer for the data. Then make another attempt to access the 10.2.13.0 network. Then look in the logs and see what references there might be for 10.2.13. I am hoping for some verification whether the ASA sees traffic toward 10.2.13 and if so what the ASA says it is doing with that attempt.

HTH

Rick

HTH

Rick

daveklatka · ‎11-21-2016

C:\Users\ltech.dklatka>route print
===========================================================================
Interface List
13...00 15 5d 08 71 03 ......Microsoft Hyper-V Network Adapter
1...........................Software Loopback Interface 1
14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0     192.168.34.1    192.168.34.11    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1 255.255.255.255         On-link         127.0.0.1    306
127.255.255.255 255.255.255.255         On-link         127.0.0.1    306
     192.168.34.0    255.255.255.0         On-link     192.168.34.11    261
    192.168.34.11 255.255.255.255         On-link     192.168.34.11    261
   192.168.34.255 255.255.255.255         On-link     192.168.34.11    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.34.11    261
255.255.255.255 255.255.255.255         On-link         127.0.0.1    306
255.255.255.255 255.255.255.255         On-link     192.168.34.11    261
===========================================================================
Persistent Routes:
Network Address          Netmask Gateway Address Metric
          0.0.0.0          0.0.0.0     192.168.34.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
1    306 ::1/128                  On-link
13    261 fe80::/64                On-link
13    261 fe80::7157:b074:de82:8f37/128
                                    On-link
1    306 ff00::/8                 On-link
13    261 ff00::/8                 On-link
===========================================================================
Persistent Routes:
None

the logs are showing built and teardowns

6 Nov 21 2016 14:07:40 302020 192.168.34.11 1 10.2.13.10 0 Built outbound ICMP connection for faddr 10.2.13.10/0 gaddr 192.168.34.11/1 laddr 192.168.34.11/1

6 Nov 21 2016 14:07:42 302021 10.2.13.10 0 192.168.34.11 1 Teardown ICMP connection for faddr 10.2.13.10/0 gaddr 192.168.34.11/1 laddr 192.168.34.11/1

6 Nov 21 2016 14:13:04 302015 192.168.34.15 44252 10.2.13.10 53 Built outbound UDP connection 11626834 for outside-Windstream:10.2.13.10/53 (10.2.13.10/53) to inside:192.168.34.15/44252 (192.168.34.15/44252)

6 Nov 21 2016 14:15:06 302016 10.2.13.10 53 192.168.34.15 44252 Teardown UDP connection 11626834 for outside-Windstream:10.2.13.10/53 to inside:192.168.34.15/44252 duration 0:02:01 bytes 41

daveklatka · ‎11-21-2016

I did a little test and extended the site to site to include my DNS servers for my company. They are on a different interface and are in the range of 217.31.217.0/24

I added just 172.31.217.10 and 172.31.217.11. after I adjusted the NAT rules to allow that interface to talk to my 192.168.34.0 network from my ASA 5512, traffic was flowing between those, but still unable to communicate through the same site to site between 10.2.13.0 and 192.168.34.0.

Richard Burts · ‎11-22-2016

Thank you for the additional test. It is interesting and perhaps a bit puzzling. It is good to know that if you add the DNS servers to the traffic to be processed by the VPN that the DNS server traffic does go normally through the VPN. That shows that the VPN config does work. And it seems to say that there is something about the 10.2.13.0 network that is different. I do not see anything in what you have posted from the PC that would impact this network, and we do not see anything in the ASA config that would impact it. So it leaves me wondering what and where it could be.

Can you tell me about your PC connection. Does it connect directly to the ASA or does it connect to some other device that connects to the ASA?

HTH

Rick

HTH

Rick

daveklatka · ‎11-28-2016

Sorry about the delayed reply, Holiday.

We go from the Cisco ASA 5505 to a Cisco SG500-52P Stacked with a SG500-52.

each server/computer connects to a single port in the stack.

there are no extra switches between computers and the stack.

Richard Burts · ‎11-28-2016

Thanks for the update. I understand the impact of holidays on our other activities.

Is there any possibility that something in the stack has any logic that impacts 10.2.13.0?

HTH

Rick

HTH

Rick