ā08-23-2016 05:46 AM
Dears ,
i have ASA 5508-x and i setup 4 site-to-site vpn with vpn-filter feature all working fine , i am facing problem that
when i am trying to access server in remote site with URL with http or https , i cann't access and at the same time , i can ping it
Local site >>>>>>vpn>>>>>>>Remote site
Solved! Go to Solution.
ā09-10-2016 07:18 PM
this is the drop due the vpn-filter.
can you share the show vpn-sessiondb detail l2l filter ip-address <peer ip>
sh run tunnel-group <peer ip> and the group-policy config for that tunnel
ā08-23-2016 06:19 AM
The clients in the remote site need to use a DNS-server that can resolve the resources of the central site. If all locations are part of the same company, then point all clients to the central DNS.
If the locations are not part of the same company, the other locations have to use DNS-views (or conditional forwarding in Windows Server) to send requests for the central DNS-domain to the right DNS-server.
ā08-23-2016 09:30 AM
when i am doing packet-tracer i found this result
Phase: 9
Type: ACCESS-LIST
Subtype: filter-aaa
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
which ACL drop this
ā09-10-2016 07:18 PM
this is the drop due the vpn-filter.
can you share the show vpn-sessiondb detail l2l filter ip-address <peer ip>
sh run tunnel-group <peer ip> and the group-policy config for that tunnel
ā09-10-2016 08:33 PM
ciscoasa(config)# sh vpn-sessiondb l2l filter ipaddress 63.1.1.5
Session Type: LAN-to-LAN
Connection : 63.1.1.5
Index : 1922 IP Addr : 63.1.1.5
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)3DES IPsec: (3)3DES
Hashing : IKEv1: (1)SHA1 IPsec: (3)SHA1
Bytes Tx : 469081 Bytes Rx : 1974429
Login Time : 00:59:33 UTC Sun Sep 11 2016
Duration : 4h:28m:27s
ciscoasa(config)# sh run tunnel-group 63.1.1.5
tunnel-group 63.1.1.5 type ipsec-l2l
tunnel-group 63.1.1.5 general-attributes
default-group-policy 63.1.1.5
tunnel-group 63.1.1.5 ipsec-attributes
ikev1 pre-shared-key *****
ciscoasa(config)# sh run group-policy 63.1.1.5
group-policy 63.1.1.5 internal
group-policy 63.1.1.5 attributes
vpn-filter value AROW_CAIRO
ā09-10-2016 08:45 PM
hi mohamed.fawzy2012 ,
as i said vpn-filter is blocking the traffic and access-list is AROW_CAIRO .
Please remove the access list and then bounce the tunnel using the command
clear crypto ipsec sa peer (ip address of the remote peer) and see if that resolves the issue
thanks
shakti
ā09-10-2016 08:47 PM
i already did that and issue still exit
ā09-10-2016 08:58 PM
hi mohamed.fawzy2012 ,
Are you still seeing
Phase: 9
Type: ACCESS-LIST
Subtype: filter-aaa
when you run a packet-tracer ?
Thanks
Shakti
ā09-11-2016 07:08 AM
ciscoasa# packet-tracer input inside tcp 10.68.20.1 1025 10.0.252.139 80
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 62.1.1.4 using egress ifc outside
Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Real_Cairo_Net Real_Cairo_Net destination st
tic Real_Arrow_Net Real_Arrow_Net no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.0.252.139/80 to 10.0.252.139/80
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Real_Cairo_Net Real_Cairo_Net destination st
tic Real_Arrow_Net Real_Arrow_Net no-proxy-arp route-lookup
Additional Information:
Static translate 10.68.20.1/1025 to 10.68.20.1/1025
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match access-list SFR_DC
policy-map global_policy
class SFR
sfr fail-open
service-policy global_policy global
Additional Information:
Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ā09-11-2016 09:49 AM
Hi mohamed.fawzy2012 ,
Okay now it looks like that the VPN filter has been removed but the issue lies on crypto side of things . Please execute the below set of debugs while you initiate the traffic and share the output of the logs
debug crypto condition peer <ip address of the remote peer>
debug crypto isakmp 200
debug crypto ipsec 200
thanks
Shakti
ā09-26-2016 05:22 PM
yes i did it again and remove vpn-filter and reset the peer but there was another reason beside that , firesight was blocking local dns to resolve from global DNS
so it wan vpn-filter + DNS issue
thanks alot
ā09-07-2016 07:44 PM
hi mohamed.fawzy2012 ,
This means that you have VPN-filter in place which is dropping the traffic in order to see what is the access-list that is causing it to drop you need to check the output of
sh vpn-sessiondb l2l filter name <ip address of the remote vpn peer>
OR
you can check the associated group-policy under the tunnel-group , below is the command
sh run tunnel-group (ip address of the remote peer)
The vpn-filter access list should be on the group-policy associated with the tunnel-group.Even if you remove the vpn filter you will have to bounce the tunnel once to remove the vpn filter access-list
Hope that helps
Thanks
Shakti
ā09-10-2016 08:42 PM
ciscoasa(config)# sh vpn-sessiondb l2l filter ipaddress 63.1.1.5
Session Type: LAN-to-LAN
Connection : 63.1.1.5
Index : 1922 IP Addr : 63.1.1.5
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)3DES IPsec: (3)3DES
Hashing : IKEv1: (1)SHA1 IPsec: (3)SHA1
Bytes Tx : 469081 Bytes Rx : 1974429
Login Time : 00:59:33 UTC Sun Sep 11 2016
Duration : 4h:28m:27s
ciscoasa(config)# sh run tunnel-group 63.1.1.5
tunnel-group 63.1.1.5 type ipsec-l2l
tunnel-group 63.1.1.5 general-attributes
default-group-policy 63.1.1.5
tunnel-group 63.1.1.5 ipsec-attributes
ikev1 pre-shared-key *****
ciscoasa(config)# sh run group-policy 63.1.1.5
group-policy 63.1.1.5 internal
group-policy 63.1.1.5 attributes
vpn-filter value AROW_CAIRO
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide