Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
4
Replies

site to site VPN is UP but interested traffic not passing through it

Go to solution
hashimwajid1
Level 3
Level 3

‎07-16-2017 09:06 PM

hi all

i have configured site to site VPN with IKEv1 on ASA 5525x firewall. tunnel shows up but i am not able to ping the remote traffic. 

 when i do a trace route on host PC for the remote IP, it just go to the CORE switch SVI that is the gateway of the host and after that it dont find Remote IP.

when  i do packet capture it dont show any traffic. 

here is the configuration and packet tracer and packet capture info

RMGVASA01/act/pri#
RMGVASA01/act/pri# sh crypto isakmp sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 89.197.35.212
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs
RMGVASA01/act/pri#

RMGVASA01/act/pri# sh crypto ipsec sa
interface: outside
Crypto map tag: dyn-map, seq num: 5, local addr: FW-Outside-91.74.158.226

access-list outside_HayHill_cryptomapy extended permit ip 172.20.10.0 255.255.255.0 10.100.100.0 255.255.255.0
local ident (addr/mask/prot/port): (Server-VLAN-172.20.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.100.100.0/255.255.255.0/0/0)
current_peer: 89.197.35.212


#pkts encaps: 2416, #pkts encrypt: 2416, #pkts digest: 2416
#pkts decaps: 2739, #pkts decrypt: 2739, #pkts verify: 2739
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2416, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: FW-Outside-91.74.158.226/0, remote crypto endpt.: 89.197.35.212/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A76380D6
current inbound spi : 9D1ECF91

inbound esp sas:
spi: 0x9D1ECF91 (2636042129)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 430080, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4373437/1132)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xA76380D6 (2808316118)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 430080, crypto-map: dyn-map
sa timing: remaining key lifetime (kB/sec): (4373357/1132)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

RMGVASA01/act/pri#


RMGVASA01/act/pri# sh running-config crypto
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set myset esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set DR-VPN esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal tset
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map mymap 8 set ikev1 transform-set myset ESP-DES-SHA ESP-3DES-SHA ESP-DES-MD5
crypto dynamic-map mymap 8 set reverse-route
crypto map dyn-map 5 match address outside_HayHill_cryptomapy
crypto map dyn-map 5 set pfs
crypto map dyn-map 5 set peer 89.197.35.212
crypto map dyn-map 5 set ikev1 transform-set transform-amzn
crypto map dyn-map 5 set security-association lifetime seconds 3600
crypto map dyn-map 10 ipsec-isakmp dynamic mymap
crypto map dyn-map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto ikev1 policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto ikev1 policy 255
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
RMGVASA01/act/pri#
RMGVASA01/act/pri#
RMGVASA01/act/pri#

RMGVASA01/act/pri# packet-tracer input inside icmp 172.20.10.82 8 0 10.100.100.245 detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd90349570, priority=13, domain=capture, deny=false
hits=1750353, user_data=0x7fcd9034a7a0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=inside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd87c2ca80, priority=1, domain=permit, deny=false
hits=1180521, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=inside, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 91.74.158.225 using egress ifc outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit icmp any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd8fcbf7b0, priority=13, domain=permit, deny=false
hits=8533, user_data=0x7fcd8f8ce9c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic NAT_INSIDE interface
Additional Information:
Dynamic translate UTIL-172.20.10.82/0 to FW-Outside-91.74.158.226/25302
Forward Flow based lookup yields rule:
in id=0x7fcd88e44420, priority=6, domain=nat, deny=false
hits=23526, user_data=0x7fcd88e42e00, cs_id=0x0, flags=0x0, protocol=0
src ip/id=Server-VLAN-172.20.10.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd871cc1d0, priority=0, domain=nat-per-session, deny=true
hits=59428, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd87c35c20, priority=0, domain=inspect-ip-options, deny=true
hits=60663, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 8
Type: SFR
Subtype:
Result: ALLOW
Config:
class-map SFR
match access-list SFR
policy-map global_policy
class SFR
sfr fail-open
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd88b0bd50, priority=71, domain=sfr, deny=false
hits=49340, user_data=0x7fcd88b057f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd88b902e0, priority=70, domain=inspect-icmp, deny=false
hits=14428, user_data=0x7fcd88b8e4b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 10
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fcd87c35430, priority=66, domain=inspect-icmp-error, deny=false
hits=18012, user_data=0x7fcd87c349a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source dynamic NAT_INSIDE interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fcd88e45120, priority=6, domain=nat-reverse, deny=false
hits=23731, user_data=0x7fcd88e42f10, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=Server-VLAN-172.20.10.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fcd871cc1d0, priority=0, domain=nat-per-session, deny=true
hits=59430, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fcd87bceb00, priority=0, domain=inspect-ip-options, deny=true
hits=55737, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 66191, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_sfr
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_sfr
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

RMGVASA01/act/pri#

RMGVASA01/act/pri#capture IN interface inside match icmp 172.20.10.80 255.255.255.255 10.100.100.245 255.255.255.255

RMGVASA01/act/pri# sh capture IN

0 packet captured

0 packet shown

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to hashimwajid1

‎07-17-2017 01:56 AM

Hi,

I do not see either the NAT statement getting hit nor the VPN phase in the packet tracer.

Could you move this NAT statement to line 1 and test?

Regards,

Aditya

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-16-2017 10:45 PM

Hi,

Phase 2 seems up but as per the packet tracer does not show a VPN encryption phase.

Are you using any NAT statements for VPN?

Also try using a NAT statement for this VPN traffic:

nat (inside,outside) 1 source static obj-172.20.10.0 obj-172.20.10.0 destination static obj-10.100.100.0 obj-10.100.100.0

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to Aditya Ganjoo

‎07-16-2017 11:25 PM

Hi Aditya,

nat statement is already there 

nat (inside,outside) source static VPN_DXB_NOD4 VPN_DXB_NOD4 destination static OBJ-10.100.100.0 OBJ-10.100.100.0 no-proxy-arp route-lookup

object-group network VPN_DXB_NOD4
network-object Server-VLAN-172.20.10.0 255.255.255.0
network-object User-VLAN-192.168.1.0 255.255.255.0
network-object WiFi-192.168.58.0 255.255.255.0

thanks for comment

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to hashimwajid1

‎07-17-2017 01:56 AM

Hi,

I do not see either the NAT statement getting hit nor the VPN phase in the packet tracer.

Could you move this NAT statement to line 1 and test?

Regards,

Aditya

0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to Aditya Ganjoo

‎07-22-2017 10:55 PM

Thanks Aditya

it solved my problem 

0 Helpful
Customers Also Viewed These Support Documents