Solved: Re: Site-to-Site VPN issue, Phase-2 is not coming up properly an

shanilkumar2003 · ‎12-12-2012

Hi all,

I am facing an issue with Site-to-Site VPN configuration from my HO to one of the remote site.

My remote site got the LAN subnet(192.168.10.0/24) ,which we are using in HO also. Remote site want to access some servers in HO 192.168.200.0/24&192.168.80.0/24.So we have done a policy NAT in remote site ASA to translate remote site subnet 192.168.10.0/24 to 192.168.175.0/24 while reaching HO end.

The VPN both phases are coming up ,but iam not able to achieve my connectivity. i can see packets are encapsulating from remote site and decapsulating in HO,But opposit side not happening(ie no encapsulation in HO end & no decapsulation in remote site end).

one issue i noted down in HO end "sh crypto ipsec sa" shows different MAP is attached to it. that cryptomap we have for our remote access VPN is showing in the ipsec sa. please refer the below config and output..

Crypto map tag: NON-RETAIL-VPN, seq num: 3, local addr: x.x.x.x

      local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.175.0/255.255.255.0/0/0)
      current_peer: x.x.x.x

i can see hits on my crypto access-list and both phases are coming up. kindly help to resolve the issue....

Thanks in Advance...

SHANIL

Config from HO ASA
------------------------------
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto ipsec transform-set httsa-morocco-set esp-3des esp-sha-hmac

crypto map ENOCMAP 23 match address acl-httsamorocco
crypto map ENOCMAP 23 set peer x.x.x.x
crypto map ENOCMAP 23 set transform-set httsa-morocco-set
crypto map ENOCMAP 23 set security-association lifetime seconds 28800
crypto map ENOCMAP 23 set reverse-route
crypto map ENOCMAP interface outside
crypto isakmp enable outside

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****

access-list acl-nonat line 127 extended permit ip 192.168.80.0 255.255.255.0 192.168.175.0 255.255.255.0
access-list acl-nonat line 128 extended permit ip 192.168.200.0 255.255.255.0 192.168.175.0 255.255.255.0

access-list acl-httsamorocco line 1 extended permit ip 192.168.200.0 255.255.255.0 192.168.175.0 255.255.255.0 (hitcnt=23)
access-list acl-httsamorocco line 2 extended permit ip 192.168.80.0 255.255.255.0 192.168.175.0 255.255.255.0 (hitcnt=5279)

Sh crypto isakamp sa HO
------------------------

12 IKE Peer: x.x.x.x
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

sh crypto ipsec sa from HO
------------------------------

ENOCDC-FW03# sh crypto ipsec sa peer x.x.x.x
peer address: x.x.x.x
Crypto map tag: NON-RETAIL-VPN, seq num: 3, local addr:x.x.x.x

      local ident (addr/mask/prot/port): (192.168.80.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.175.0/255.255.255.0/0/0)
      current_peer: x.x.x.x

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 2839, #pkts decrypt: 2839, #pkts verify: 2839
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x/4500, remote crypto endpt.: x.x.x.x/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 5E757945
      current inbound spi : 5EF13ACE

    inbound esp sas:
      spi: 0x5EF13ACE (1592867534)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 6619136, crypto-map: NON-RETAIL-VPN
         sa timing: remaining key lifetime (kB/sec): (4373785/26747)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x5E757945 (1584757061)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 6619136, crypto-map: NON-RETAIL-VPN
         sa timing: remaining key lifetime (kB/sec): (4374000/26745)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Crypto map tag: NON-RETAIL-VPN, seq num: 3, local addr: x.x.x.x //This crypto-map is the one for our remote access-VPN

      local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.175.0/255.255.255.0/0/0)
      current_peer: x.x.x.x

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 41, #pkts decrypt: 41, #pkts verify: 41
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x/4500, remote crypto endpt.: x.x.x.x/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 35F7B790
      current inbound spi : EE63084D

    inbound esp sas:
      spi: 0xEE63084D (3999467597)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 6619136, crypto-map: NON-RETAIL-VPN
         sa timing: remaining key lifetime (kB/sec): (4373997/26924)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x000003FF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x35F7B790 (905426832)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 6619136, crypto-map: NON-RETAIL-VPN
         sa timing: remaining key lifetime (kB/sec): (4374000/26924)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Configuration from Site ASA
---------------------------------------------

static (inside,ouside) 192.168.175.0 access-list policy-nat

access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list policy-nat extended permit ip 192.168.1.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list policy-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list policy-nat extended permit ip 192.168.10.0 255.255.255.0 192.168.80.0 255.255.255.0

crypto ipsec transform-set enoc-set esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map ENOCMAP 23 match address acl-enoc
crypto map ENOCMAP 23 set peer x.x.x.x
crypto map ENOCMAP 23 set transform-set enoc-set
crypto map ENOCMAP 23 set security-association lifetime seconds 28800
crypto map ENOCMAP 23 set reverse-route
crypto map ENOCMAP interface ouside
crypto isakmp enable ouside

crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****

access-list acl-enoc extended permit ip 192.168.175.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list acl-enoc extended permit ip 192.168.175.0 255.255.255.0 192.168.200.0 255.255.255.0

ciscoasa# sh crypto isakmp sa

-----------------------------------------------

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: x.x.x.x
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

ciscoasa# sh crypto ipsec sa

----------------------------------------------
interface: ouside
Crypto map tag: ENOCMAP, seq num: 23, local addr: 192.168.20.2

      access-list acl-enoc extended permit ip 192.168.175.0 255.255.255.0 192.168.200.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.175.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
      current_peer: x.x.x.x

      #pkts encaps: 59, #pkts encrypt: 59, #pkts digest: 59
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 59, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.168.20.2/4500, remote crypto endpt.: x.x.x.x/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: EE63084D
      current inbound spi : 35F7B790

    inbound esp sas:
      spi: 0x35F7B790 (905426832)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 57344, crypto-map: ENOCMAP
         sa timing: remaining key lifetime (kB/sec): (3915000/26325)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0xEE63084D (3999467597)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 57344, crypto-map: ENOCMAP
         sa timing: remaining key lifetime (kB/sec): (3914996/26325)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Crypto map tag: ENOCMAP, seq num: 23, local addr: 192.168.20.2

      access-list acl-enoc extended permit ip 192.168.175.0 255.255.255.0 192.168.80.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.175.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.80.0/255.255.255.0/0/0)
      current_peer: x.x.x.x

      #pkts encaps: 3567, #pkts encrypt: 3569, #pkts digest: 3569
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3569, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 1, #recv errors: 0

      local crypto endpt.: 192.168.20.2/4500, remote crypto endpt.: x.x.x.x/4500
      path mtu 1500, ipsec overhead 66, media mtu 1500
      current outbound spi: 5EF13ACE
      current inbound spi : 5E757945

    inbound esp sas:
      spi: 0x5E757945 (1584757061)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 57344, crypto-map: ENOCMAP
         sa timing: remaining key lifetime (kB/sec): (3915000/26143)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x5EF13ACE (1592867534)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 57344, crypto-map: ENOCMAP
         sa timing: remaining key lifetime (kB/sec): (3914728/26142)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

guibarati · ‎12-12-2012

Hi,

Clearly the connection is bein handled by other crypto map.

Check those:

- Where is your ASA rounting the destination network to; (network 192.168.175.0)

- The outgoing inteface that the route is using has a crypto map?; I.E. " NON-RETAIL-VPN"

- If it's rounting to the wrong interface try reconfiguring the route to this destination.

This is most likely your problem. Or at least one of them.

Rate if it helps.

View solution in original post

scottogden_2 · ‎12-12-2012

Can you not policy NAT the source subnet from the remote-site to another range other than .175?

If you do a show route on your HO ASA when remote clients are connected you'll see host routes back via the interface the NON-RETAIL-VPN is applied on. These routes will always take preference over your /24 route to the interface ENOCMAP is applied on.

Easiest way to get around this is to use a new subnet for the remote VPN source which is not being used on your HO ASA.

View solution in original post

guibarati · ‎12-12-2012

Hi,

Clearly the connection is bein handled by other crypto map.

Check those:

- Where is your ASA rounting the destination network to; (network 192.168.175.0)

- The outgoing inteface that the route is using has a crypto map?; I.E. " NON-RETAIL-VPN"

- If it's rounting to the wrong interface try reconfiguring the route to this destination.

This is most likely your problem. Or at least one of them.

Rate if it helps.

scottogden_2 · ‎12-12-2012

Can you not policy NAT the source subnet from the remote-site to another range other than .175?

If you do a show route on your HO ASA when remote clients are connected you'll see host routes back via the interface the NON-RETAIL-VPN is applied on. These routes will always take preference over your /24 route to the interface ENOCMAP is applied on.

Easiest way to get around this is to use a new subnet for the remote VPN source which is not being used on your HO ASA.

shanilkumar2003 · ‎12-13-2012

Thanks Guys for the suggestions..

i just reconfigured the crypto-map with a lower sequence number (changed from 23 to 9)and VPN is working smooth now..

Thanks all

Shanil

Site-to-Site VPN issue, Phase-2 is not coming up properly and no connectivity