Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
5591
Views
5
Helpful
12
Replies

Site to Site VPN DNS resolving Issue

Go to solution
mohamed.fawzy2012
Level 1
Level 1

ā€Ž08-23-2016 05:46 AM

Dears ,

i have ASA 5508-x and i setup 4 site-to-site vpn with vpn-filter feature all working fine , i am facing problem that 

when i am trying to access server in remote site with URL with http or https  , i cann't access and at the same time , i can ping it 

Local site >>>>>>vpn>>>>>>>Remote site

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pjain2
Cisco Employee
Cisco Employee
In response to mohamed.fawzy2012

ā€Ž09-10-2016 07:18 PM

this is the drop due the vpn-filter.

can you share the show vpn-sessiondb detail l2l filter ip-address <peer ip>

sh run tunnel-group <peer ip> and the group-policy config for that tunnel

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Karsten Iwen
VIP
VIP

ā€Ž08-23-2016 06:19 AM

The clients in the remote site need to use a DNS-server that can resolve the resources of the central site. If all locations are part of the same company, then point all clients to the central DNS.

If the locations are not part of the same company, the other locations have to use DNS-views (or conditional forwarding in Windows Server) to send requests for the central DNS-domain to the right DNS-server.

0 Helpful

Go to solution
mohamed.fawzy2012
Level 1
Level 1
In response to Karsten Iwen

ā€Ž08-23-2016 09:30 AM

when i am doing packet-tracer i found this result

Phase: 9
Type: ACCESS-LIST
Subtype: filter-aaa
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

which ACL drop this 

0 Helpful

Go to solution
pjain2
Cisco Employee
Cisco Employee
In response to mohamed.fawzy2012

ā€Ž09-10-2016 07:18 PM

this is the drop due the vpn-filter.

can you share the show vpn-sessiondb detail l2l filter ip-address <peer ip>

sh run tunnel-group <peer ip> and the group-policy config for that tunnel

0 Helpful

Go to solution
mohamed.fawzy2012
Level 1
Level 1
In response to pjain2

ā€Ž09-10-2016 08:33 PM

ciscoasa(config)# sh vpn-sessiondb l2l filter ipaddress 63.1.1.5

Session Type: LAN-to-LAN

Connection : 63.1.1.5
Index : 1922 IP Addr : 63.1.1.5
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)3DES IPsec: (3)3DES
Hashing : IKEv1: (1)SHA1 IPsec: (3)SHA1
Bytes Tx : 469081 Bytes Rx : 1974429
Login Time : 00:59:33 UTC Sun Sep 11 2016
Duration : 4h:28m:27s

ciscoasa(config)# sh run tunnel-group 63.1.1.5
tunnel-group 63.1.1.5 type ipsec-l2l
tunnel-group 63.1.1.5 general-attributes
default-group-policy 63.1.1.5
tunnel-group 63.1.1.5 ipsec-attributes
ikev1 pre-shared-key *****

ciscoasa(config)# sh run group-policy 63.1.1.5
group-policy 63.1.1.5 internal
group-policy 63.1.1.5 attributes
vpn-filter value AROW_CAIRO

0 Helpful

Go to solution
Shakti Kumar
Cisco Employee
Cisco Employee
In response to mohamed.fawzy2012

ā€Ž09-10-2016 08:45 PM

hi mohamed.fawzy2012 ,

as i said vpn-filter is blocking the traffic and access-list is AROW_CAIRO .

Please remove the access list and then bounce the tunnel using the command 

clear crypto ipsec sa peer (ip address of the remote peer) and see if that resolves the issue

thanks

shakti

0 Helpful

Go to solution
mohamed.fawzy2012
Level 1
Level 1
In response to Shakti Kumar

ā€Ž09-10-2016 08:47 PM

i already did that and issue still exit

0 Helpful

Go to solution
Shakti Kumar
Cisco Employee
Cisco Employee
In response to mohamed.fawzy2012

ā€Ž09-10-2016 08:58 PM

hi mohamed.fawzy2012 ,

Are you still seeing 

Phase: 9
Type: ACCESS-LIST
Subtype: filter-aaa

when you run a packet-tracer ?

Thanks

Shakti

0 Helpful

Go to solution
mohamed.fawzy2012
Level 1
Level 1
In response to Shakti Kumar

ā€Ž09-11-2016 07:08 AM

ciscoasa# packet-tracer input inside tcp 10.68.20.1 1025 10.0.252.139 80

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 62.1.1.4 using egress ifc outside

Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Real_Cairo_Net Real_Cairo_Net destination st
tic Real_Arrow_Net Real_Arrow_Net no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.0.252.139/80 to 10.0.252.139/80

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Real_Cairo_Net Real_Cairo_Net destination st
tic Real_Arrow_Net Real_Arrow_Net no-proxy-arp route-lookup
Additional Information:
Static translate 10.68.20.1/1025 to 10.68.20.1/1025

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match access-list SFR_DC
policy-map global_policy
class SFR
sfr fail-open
service-policy global_policy global
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

0 Helpful

Go to solution
Shakti Kumar
Cisco Employee
Cisco Employee
In response to mohamed.fawzy2012

ā€Ž09-11-2016 09:49 AM

Hi mohamed.fawzy2012 ,

Okay now it looks like that the VPN filter has been removed but the issue lies on crypto side of things . Please execute the below set of debugs while you initiate the traffic and share the output of the logs

debug crypto condition peer <ip address of the remote peer>

debug crypto isakmp 200

debug crypto ipsec 200

thanks

Shakti

0 Helpful

Go to solution
mohamed.fawzy2012
Level 1
Level 1
In response to pjain2

ā€Ž09-26-2016 05:22 PM

yes i did it again and remove vpn-filter and reset the peer but there was another reason beside that , firesight was blocking local dns to resolve from global DNS 

so it wan vpn-filter + DNS issue

thanks alot

0 Helpful

Go to solution
Shakti Kumar
Cisco Employee
Cisco Employee

ā€Ž09-07-2016 07:44 PM

hi 

OR

you can check the associated group-policy under the tunnel-group , below is the command

sh run tunnel-group (ip address of the remote peer)

The vpn-filter access list should be on the group-policy associated with the tunnel-group.Even if you remove the vpn filter you will have to bounce the tunnel once to remove the vpn filter access-list

Hope that helps

Thanks

Shakti

Go to solution
mohamed.fawzy2012
Level 1
Level 1
In response to Shakti Kumar

ā€Ž09-10-2016 08:42 PM

ciscoasa(config)# sh vpn-sessiondb l2l filter ipaddress 63.1.1.5

Session Type: LAN-to-LAN

Connection : 63.1.1.5
Index : 1922 IP Addr : 63.1.1.5
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)3DES IPsec: (3)3DES
Hashing : IKEv1: (1)SHA1 IPsec: (3)SHA1
Bytes Tx : 469081 Bytes Rx : 1974429
Login Time : 00:59:33 UTC Sun Sep 11 2016
Duration : 4h:28m:27s

ciscoasa(config)# sh run tunnel-group 63.1.1.5
tunnel-group 63.1.1.5 type ipsec-l2l
tunnel-group 63.1.1.5 general-attributes
default-group-policy 63.1.1.5
tunnel-group 63.1.1.5 ipsec-attributes
ikev1 pre-shared-key *****

ciscoasa(config)# sh run group-policy 63.1.1.5
group-policy 63.1.1.5 internal
group-policy 63.1.1.5 attributes
vpn-filter value AROW_CAIRO

0 Helpful
Customers Also Viewed These Support Documents