09-05-2014 12:52 AM
Hi all.
I've got a site to site that's been up and running for some time now. I have made an addition to the config a few days ago allow access to another vlan which worked fine at the time. 2-3 days later at 1am the line dropped and stopped working. Both devices have been rebooted to no avail and although the tunnel us up i can't pass any traffic through.
Both show Bytes Tx but none Rx.
Both configs are attached of the remote and office asa's.
From the office asa i'm trying to ping say from the office server lan: 172.16.102.0/24 to the remote server vlan: 10.192.0.0/16
09-05-2014 02:08 AM
Hi,
You have many Lan to Lan tunnels... which one is having the problem..... what is your local lan segment for that l2l and what is the remote site encryption domain or remote local lan?
Regards
Karthik
09-05-2014 02:19 AM
09-05-2014 02:48 AM
I've ran a packet tracer on both ends which seems to be ok for my ACL's?
From 205.217.13.4
Result of the command: "packet-tracer input inside icmp 10.192.0.100 0 0 172.16.102.103"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any any
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
nat (inside) 0 access-list inside_nat0_outbound_1 outside
match ip inside 10.192.0.0 255.255.0.0 outside OfficeServerNetwork 255.255.255.0
NAT exempt
translate_hits = 3, untranslate_hits = 0
Additional Information:
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 120, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
From OfficeASA:
Result of the command: "packet-tracer input InternalServersVlan102 icmp 172.16.102.103 0 0 10.192.0.100"
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 External
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip InternalServersVlan102 172.16.102.0 255.255.255.0 External VMNetwork 255.255.0.0
NAT exempt
translate_hits = 27591352, untranslate_hits = 337848
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (InternalServersVlan102) 10 0.0.0.0 0.0.0.0 dns
match ip InternalServersVlan102 any External any
dynamic translation to pool 10 (37.157.32.98 [Interface PAT])
translate_hits = 2309788, untranslate_hits = 173
Additional Information:
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (InternalServersVlan102) 10 0.0.0.0 0.0.0.0 dns
match ip InternalServersVlan102 any External any
dynamic translation to pool 10 (37.157.32.98 [Interface PAT])
translate_hits = 2309788, untranslate_hits = 173
Additional Information:
Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 60441700, packet dispatched to next module
Result:
input-interface: InternalServersVlan102
input-status: up
input-line-status: up
output-interface: External
output-status: up
output-line-status: up
Action: allow
09-05-2014 03:02 AM
Hi,
Yeah... this sounds good.... can you check on your sh crypto ipsec sa output.... whether encapsulation and decapsulation happends properly?
Regards
Karthik
09-05-2014 03:04 AM
From server asa:
Result of the command: "sh crypto ipsec sa"
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 205.217.13.4
access-list outside_2_cryptomap permit ip 10.192.0.0 255.255.0.0 OfficeWorkstationNetwork 255.255.255.0
local ident (addr/mask/prot/port): (10.192.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (OfficeWorkstationNetwork/255.255.255.0/0/0)
current_peer: 37.157.32.98
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 205.217.13.4, remote crypto endpt.: 37.157.32.98
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 48CC4960
inbound esp sas:
spi: 0xE58A4A8E (3851045518)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/27038)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x48CC4960 (1221347680)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274999/27038)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 1, local addr: 205.217.13.4
access-list outside_2_cryptomap permit ip 10.192.0.0 255.255.0.0 OfficeServerNetwork 255.255.255.0
local ident (addr/mask/prot/port): (10.192.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (OfficeServerNetwork/255.255.255.0/0/0)
current_peer: 37.157.32.98
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 205.217.13.4, remote crypto endpt.: 37.157.32.98
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E0221280
inbound esp sas:
spi: 0xB90F4840 (3104786496)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/26276)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xE0221280 (3760329344)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4274999/26276)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 1, local addr: 205.217.13.4
access-list outside_2_cryptomap permit ip Management 255.255.254.0 OfficeServerNetwork 255.255.255.0
local ident (addr/mask/prot/port): (Management/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (OfficeServerNetwork/255.255.255.0/0/0)
current_peer: 37.157.32.98
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 205.217.13.4, remote crypto endpt.: 37.157.32.98
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 4E39081B
inbound esp sas:
spi: 0x69356D92 (1765109138)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/28208)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x4E39081B (1312360475)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/28208)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: outside_map, seq num: 1, local addr: 205.217.13.4
access-list outside_2_cryptomap permit ip btvlan 255.255.254.0 OfficeServerNetwork 255.255.255.0
local ident (addr/mask/prot/port): (btvlan/255.255.254.0/0/0)
remote ident (addr/mask/prot/port): (OfficeServerNetwork/255.255.255.0/0/0)
current_peer: 37.157.32.98
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 205.217.13.4, remote crypto endpt.: 37.157.32.98
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 166EB75C
inbound esp sas:
spi: 0x3FE7882F (1072138287)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/28105)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x166EB75C (376354652)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4275000/28105)
IV size: 8 bytes
replay detection support: Y
From OfficeASA:
Result of the command: "sh crypto ipsec sa"
interface: External
Crypto map tag: External_dyn_map, seq num: 1, local addr: 37.157.32.98
local ident (addr/mask/prot/port): (37.157.32.98/255.255.255.255/17/1701)
remote ident (addr/mask/prot/port): (81.100.128.32/255.255.255.255/17/0)
current_peer: 81.100.128.32, username: ATTRAQT.COM\jhenderson
dynamic allocated peer ip: 172.16.50.131
#pkts encaps: 52620, #pkts encrypt: 52620, #pkts digest: 52620
#pkts decaps: 40293, #pkts decrypt: 40293, #pkts verify: 40293
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 52620, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98/4500, remote crypto endpt.: 81.100.128.32/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: F7E0AE2D
current inbound spi : 3005DB13
inbound esp sas:
spi: 0x3005DB13 (805690131)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Transport, NAT-T-Encaps, }
slot: 0, conn_id: 646, crypto-map: External_dyn_map
sa timing: remaining key lifetime (kB/sec): (3914950/28764)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xF7E0AE2D (4158697005)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Transport, NAT-T-Encaps, }
slot: 0, conn_id: 646, crypto-map: External_dyn_map
sa timing: remaining key lifetime (kB/sec): (3914866/28764)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: External_map, seq num: 1, local addr: 37.157.32.98
access-list External_1_cryptomap extended permit ip 172.16.50.0 255.255.255.0 10.191.0.0 255.255.252.0
local ident (addr/mask/prot/port): (VPN/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.191.0.0/255.255.252.0/0/0)
current_peer: 82.118.75.253
#pkts encaps: 1545, #pkts encrypt: 1545, #pkts digest: 1545
#pkts decaps: 2204, #pkts decrypt: 2204, #pkts verify: 2204
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1545, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98, remote crypto endpt.: 82.118.75.253
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 9746740E
current inbound spi : 96CF29DB
inbound esp sas:
spi: 0x96CF29DB (2530159067)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 625, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3915000/23850)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x9746740E (2537976846)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 625, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3915000/23850)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: External_map, seq num: 1, local addr: 37.157.32.98
access-list External_1_cryptomap extended permit ip 172.16.101.0 255.255.255.0 10.191.0.0 255.255.252.0
local ident (addr/mask/prot/port): (172.16.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.191.0.0/255.255.252.0/0/0)
current_peer: 82.118.75.253
#pkts encaps: 345, #pkts encrypt: 345, #pkts digest: 345
#pkts decaps: 448, #pkts decrypt: 448, #pkts verify: 448
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 345, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98, remote crypto endpt.: 82.118.75.253
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 6E9EEBC1
current inbound spi : DCD20CBB
inbound esp sas:
spi: 0xDCD20CBB (3704753339)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 625, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914763/22177)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x6E9EEBC1 (1855908801)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 625, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914978/22177)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: External_map, seq num: 1, local addr: 37.157.32.98
access-list External_1_cryptomap extended permit ip 172.16.101.0 255.255.255.0 10.83.62.0 255.255.255.240
local ident (addr/mask/prot/port): (172.16.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.83.62.0/255.255.255.240/0/0)
current_peer: 82.118.75.253
#pkts encaps: 15095, #pkts encrypt: 15095, #pkts digest: 15095
#pkts decaps: 24505, #pkts decrypt: 24505, #pkts verify: 24505
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 15095, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98, remote crypto endpt.: 82.118.75.253
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 111B4DF3
current inbound spi : 2BF964BD
inbound esp sas:
spi: 0x2BF964BD (737764541)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 625, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3913238/21748)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x111B4DF3 (287002099)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 625, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914212/21748)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: External_map, seq num: 1, local addr: 37.157.32.98
access-list External_1_cryptomap extended permit ip 172.16.102.0 255.255.255.0 10.83.62.0 255.255.255.240
local ident (addr/mask/prot/port): (172.16.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.83.62.0/255.255.255.240/0/0)
current_peer: 82.118.75.253
#pkts encaps: 11349, #pkts encrypt: 11349, #pkts digest: 11349
#pkts decaps: 11340, #pkts decrypt: 11340, #pkts verify: 11340
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 11349, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98, remote crypto endpt.: 82.118.75.253
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 2B7C8012
current inbound spi : 039B9840
inbound esp sas:
spi: 0x039B9840 (60528704)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 625, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914624/20890)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x2B7C8012 (729579538)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 625, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914802/20890)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: External_map, seq num: 1, local addr: 37.157.32.98
access-list External_1_cryptomap extended permit ip 172.16.102.0 255.255.255.0 10.191.0.0 255.255.252.0
local ident (addr/mask/prot/port): (172.16.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.191.0.0/255.255.252.0/0/0)
current_peer: 82.118.75.253
#pkts encaps: 1795, #pkts encrypt: 1795, #pkts digest: 1795
#pkts decaps: 1963, #pkts decrypt: 1963, #pkts verify: 1963
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1795, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98, remote crypto endpt.: 82.118.75.253
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 632D470D
current inbound spi : 02472DE6
inbound esp sas:
spi: 0x02472DE6 (38219238)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 625, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914359/20903)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x632D470D (1663911693)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 625, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914952/20903)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: External_map, seq num: 1, local addr: 37.157.32.98
access-list External_1_cryptomap extended permit ip 172.16.102.0 255.255.255.0 10.83.62.32 255.255.255.224
local ident (addr/mask/prot/port): (172.16.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.83.62.32/255.255.255.224/0/0)
current_peer: 82.118.75.253
#pkts encaps: 41120, #pkts encrypt: 41120, #pkts digest: 41120
#pkts decaps: 41112, #pkts decrypt: 41112, #pkts verify: 41112
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 41120, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98, remote crypto endpt.: 82.118.75.253
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: AEA27911
current inbound spi : 03CC0BBF
inbound esp sas:
spi: 0x03CC0BBF (63703999)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 625, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914259/20900)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xAEA27911 (2929883409)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 625, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914278/20900)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: External_dyn_map, seq num: 1, local addr: 37.157.32.98
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.50.129/255.255.255.255/0/0)
current_peer: 86.152.150.113, username: nmurdoch
dynamic allocated peer ip: 172.16.50.129
#pkts encaps: 5055, #pkts encrypt: 5055, #pkts digest: 5055
#pkts decaps: 4891, #pkts decrypt: 4891, #pkts verify: 4891
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5055, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98/4500, remote crypto endpt.: 86.152.150.113/1025
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 5747DE5D
current inbound spi : F97837F0
inbound esp sas:
spi: 0xF97837F0 (4185405424)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 640, crypto-map: External_dyn_map
sa timing: remaining key lifetime (sec): 21675
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x5747DE5D (1464327773)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 640, crypto-map: External_dyn_map
sa timing: remaining key lifetime (sec): 21675
IV size: 8 bytes
replay detection support: Y
Crypto map tag: External_dyn_map, seq num: 1, local addr: 37.157.32.98
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.50.130/255.255.255.255/0/0)
current_peer: 86.152.150.113, username: nmurdoch
dynamic allocated peer ip: 172.16.50.130
#pkts encaps: 4580, #pkts encrypt: 4580, #pkts digest: 4580
#pkts decaps: 4584, #pkts decrypt: 4584, #pkts verify: 4584
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4580, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98/4500, remote crypto endpt.: 86.152.150.113/5890
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 74640C78
current inbound spi : 386DF69A
inbound esp sas:
spi: 0x386DF69A (946730650)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 639, crypto-map: External_dyn_map
sa timing: remaining key lifetime (sec): 21014
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x74640C78 (1952713848)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 639, crypto-map: External_dyn_map
sa timing: remaining key lifetime (sec): 21014
IV size: 8 bytes
replay detection support: Y
Crypto map tag: External_dyn_map, seq num: 1, local addr: 37.157.32.98
local ident (addr/mask/prot/port): (37.157.32.98/255.255.255.255/17/0)
remote ident (addr/mask/prot/port): (92.162.169.15/255.255.255.255/17/1701)
current_peer: 92.162.169.15, username: dgriffiths
dynamic allocated peer ip: 172.16.50.151
#pkts encaps: 994, #pkts encrypt: 994, #pkts digest: 994
#pkts decaps: 3301, #pkts decrypt: 3301, #pkts verify: 3301
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 994, #pkts comp failed: 0, #pkts decomp failed: 0
#post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98/4500, remote crypto endpt.: 92.162.169.15/4500
path mtu 1500, ipsec overhead 66, media mtu 1500
current outbound spi: 2BE39616
current inbound spi : 93AE4AB2
inbound esp sas:
spi: 0x93AE4AB2 (2477673138)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Transport, NAT-T-Encaps, }
slot: 0, conn_id: 621, crypto-map: External_dyn_map
sa timing: remaining key lifetime (kB/sec): (212362/2457)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x2BE39616 (736335382)
transform: esp-3des esp-sha-hmac none
in use settings ={RA, Transport, NAT-T-Encaps, }
slot: 0, conn_id: 621, crypto-map: External_dyn_map
sa timing: remaining key lifetime (kB/sec): (212400/2457)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: External_map, seq num: 4, local addr: 37.157.32.98
access-list External_4_cryptomap extended permit ip 172.16.102.0 255.255.255.0 192.168.12.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Umbee/255.255.255.0/0/0)
current_peer: 185.42.64.2
#pkts encaps: 11882, #pkts encrypt: 11882, #pkts digest: 11882
#pkts decaps: 11881, #pkts decrypt: 11881, #pkts verify: 11881
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 11882, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98, remote crypto endpt.: 185.42.64.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 07CD4C11
current inbound spi : CDD58540
inbound esp sas:
spi: 0xCDD58540 (3453322560)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 622, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914777/20768)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x07CD4C11 (130894865)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 622, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914789/20768)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: External_map, seq num: 2, local addr: 37.157.32.98
access-list External_2_cryptomap extended permit ip 172.16.101.0 255.255.255.0 10.192.0.0 255.255.0.0
local ident (addr/mask/prot/port): (172.16.101.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VMNetwork/255.255.0.0/0/0)
current_peer: 205.217.13.4
#pkts encaps: 84, #pkts encrypt: 84, #pkts digest: 84
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 84, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98, remote crypto endpt.: 205.217.13.4
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E58A4A8E
current inbound spi : 48CC4960
inbound esp sas:
spi: 0x48CC4960 (1221347680)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 648, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3915000/26979)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xE58A4A8E (3851045518)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 648, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914995/26979)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: External_map, seq num: 2, local addr: 37.157.32.98
access-list External_2_cryptomap extended permit ip 172.16.102.0 255.255.255.0 10.192.0.0 255.255.0.0
local ident (addr/mask/prot/port): (172.16.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (VMNetwork/255.255.0.0/0/0)
current_peer: 205.217.13.4
#pkts encaps: 1965, #pkts encrypt: 1965, #pkts digest: 1965
#pkts decaps: 17, #pkts decrypt: 17, #pkts verify: 17
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1965, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98, remote crypto endpt.: 205.217.13.4
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B90F4840
current inbound spi : E0221280
inbound esp sas:
spi: 0xE0221280 (3760329344)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 648, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914999/26218)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xB90F4840 (3104786496)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 648, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914863/26218)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: External_map, seq num: 2, local addr: 37.157.32.98
access-list External_2_cryptomap extended permit ip 172.16.102.0 255.255.255.0 10.196.0.0 255.255.254.0
local ident (addr/mask/prot/port): (172.16.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (btvlan/255.255.254.0/0/0)
current_peer: 205.217.13.4
#pkts encaps: 83, #pkts encrypt: 83, #pkts digest: 83
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 83, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98, remote crypto endpt.: 205.217.13.4
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 3FE7882F
current inbound spi : 166EB75C
inbound esp sas:
spi: 0x166EB75C (376354652)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 648, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3915000/28047)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x3FE7882F (1072138287)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 648, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914994/28047)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: External_map, seq num: 2, local addr: 37.157.32.98
access-list External_2_cryptomap extended permit ip 172.16.102.0 255.255.255.0 10.193.0.0 255.255.254.0
local ident (addr/mask/prot/port): (172.16.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (Management/255.255.254.0/0/0)
current_peer: 205.217.13.4
#pkts encaps: 53, #pkts encrypt: 53, #pkts digest: 53
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 53, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98, remote crypto endpt.: 205.217.13.4
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 69356D92
current inbound spi : 4E39081B
inbound esp sas:
spi: 0x4E39081B (1312360475)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 648, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3915000/28150)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x69356D92 (1765109138)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 648, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914996/28150)
IV size: 8 bytes
replay detection support: Y
Crypto map tag: External_map, seq num: 5, local addr: 37.157.32.98
access-list External_5_cryptomap extended permit ip 172.16.102.0 255.255.255.0 192.168.13.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.102.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)
current_peer: 64.90.181.146
#pkts encaps: 6519, #pkts encrypt: 6519, #pkts digest: 6519
#pkts decaps: 6519, #pkts decrypt: 6519, #pkts verify: 6519
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 6519, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 37.157.32.98, remote crypto endpt.: 64.90.181.146
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 07713265
current inbound spi : D6DD492C
inbound esp sas:
spi: 0xD6DD492C (3604826412)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 624, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914879/20816)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x07713265 (124858981)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 624, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3914885/20816)
IV size: 8 bytes
replay detection support: Y
09-05-2014 03:23 AM
Hi,
Please modify your crypto_acl's at both ends.... it should be a mirroring......
make it with plain subnet in acl line instead of object... at both ends..... i see the return traffic is not coming for both the cases....
also make sure that you are able to reach the local lan subnets from vpn firewalls.....
Regards
Karthik
09-05-2014 03:30 AM
Cheers Karthik.
So you want me to amend the ACL names to match on both ends and not to use a naming convention but the IP's and subnets only?
Both firewalls can route to all subnets locally on each end.
09-05-2014 04:01 AM
I've recreated the objects with exactly the same naming conventions on both sides and still no joy.
09-05-2014 04:16 AM
The only other thing to note that i can see is that from the Office ASA it is now showing bytes sent and received.
The remote server asa is only showing bytes sent.
09-05-2014 10:51 AM
Hi,
From the remote site lan if you trace to office side lan... is that hitting the vpn firewall.... i see the return traffic issue..... let me check on other things as well....
Regards
Karthik
09-05-2014 03:00 AM
Hi Locayta,
I do not see any issues with your configuration.... you have no-nat rules in place and crypto acl's permitting the end site......
but why do you set a group-policy with vpn-idle-timeout none? do you want to keep the tunnel always up? can you try changing that to a default option?
Also your no-nat acl is pretty confusing.... can you match your no-nat acl with your crypto acl statements......
i mean directly put the subnets instead of placing a object name......
Regards
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide