07-26-2011 04:12 PM
Hi All,
I am trying to setup the site to site vpn from Head office to branch office. Head
office has ASA1 and branch office has ASA2. ASA1 has configured with remote VPn and
Site to site vpn. Remote VPN works fine. ASA2 has configured with only Site 2 site
VPN. Both the ASA are 5505.
Phase 1 is successfully completed and it shows MM_Active in both ASAs. But I am not able ping from one site pc to other site. if you see the results at the bottom it shows the head office ASA1 is able to decrypt the packets but not able to encrypt.
branch office ASA2 is able encryp the packets but not able to decrypt.
When I tried for packet tracer the packet dropped saysing VPN lookup. I have attached it with the case.
Could some one help me on this.
ASA1
route x.x..1.0 255.255.255.0 [1/0] via Outside-Network, outside
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
crypto map DIV-MAP 10 ipsec-isakmp dynamic RVPN-MAP
crypto dynamic-map IPSEC-VPN 10 set transform-set esp-3des esp-sha-hmac
crypto dynamic-map IPSEC-VPN 10 set reverse-route
crypto map DIV-MAP 20 match address S2S
crypto map DIV-MAP 20 set peer 2.2.2.2
crypto map DIV-MAP 20 set transform-set esp-3des esp-sha-hmac
IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Crypto map tag: RVPN-MAP, seq num: 10, local addr: Outside-Network
local ident (addr/mask/prot/port): (x.x.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (x.x.1.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 89, #pkts decrypt: 89, #pkts verify: 89
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: Outside-Network, remote crypto endpt.:2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: AC93D2BC
inbound esp sas:
spi: 0xE2A3F913 (3802396947)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 263, crypto-map: RVPN-MAP
ASA2:
route x.x.100.0 255.255.255.0 [1/0] via Outside-Network, outside
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
crypto map DIV-MAP 10 ipsec-isakmp dynamic RVPN-MAP
crypto dynamic-map IPSEC-VPN 10 set transform-set esp-3des esp-sha-hmac
crypto dynamic-map IPSEC-VPN 10 set reverse-route
crypto map DIV-MAP 20 match address S2S
crypto map DIV-MAP 20 set peer 1.1.1.1
crypto map DIV-MAP 20 set transform-set esp-3des esp-sha-hmac
IKE Peer: 1.1.1.1
Type : L2L Role : Initiator
Rekey : no State : MM_ACTIVE Crypto map tag: S-MAP, seq num:
1, local addr: 99.76.209.61
local ident (addr/mask/prot/port): (x.x.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (x.x.100.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 89, #pkts encrypt: 89, #pkts digest: 89
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 89, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E2A3F913
inbound esp sas:
spi: 0xAC93D2BC (2895368892)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 198, crypto-map: S-MAP
sa timing: remaining key lifetime (kB/sec): (4275000/26421)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0xE2A3F913 (3802396947)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 198, crypto-map: S-MAP
sa timing: remaining key lifetime (kB/sec): (4274992/26421)
Solved! Go to Solution.
07-28-2011 03:58 AM
Hi Rajesh,
I understand now what is going on, there is no issue with ASA or VPN, they are fine. Because the echo request get out of the firewall and the firewall didn't receive a reply.Is there any router behind the firewall or L3 switch? If yes you have to add static route on it for subnet 192.168.35.0/24 at site1 and 192.168.1.0/24 at site 2 the next-hop should be the inside interface of the firewall.
Regards,
Wajih
07-27-2011 02:40 AM
Hi Rajesh,
Your issue is with this command line in ASA1:
"crypto map DIV-MAP 10 ipsec-isakmp dynamic RVPN-MAP"
It seems that it is used for Remote VPN. It has sequence number "10" which is higher priority than L2L VPN, L2L VPN has sequence number "20". So the L2L connection is going through RVPN-MAP not through "DIV-MAP 20". This is clear in your outputs:
IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Crypto map tag: RVPN-MAP, seq num: 10, local addr: Outside-Network
local ident (addr/mask/prot/port): (x.x.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (x.x.1.0/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 89, #pkts decrypt: 89, #pkts verify: 89
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: Outside-Network, remote crypto endpt.:2.2.2.2
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: AC93D2BC
inbound esp sas:
spi: 0xE2A3F913 (3802396947)
transform: esp-3des esp-sha-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 263, crypto-map: RVPN-MAP
RVPN-MAP is a dynamic map, it can accept any requests, so it is recommended to give it the highest sequence number which is 65535. Your issue should be solved after applying the following commands:
no crypto map DIV-MAP 10 ipsec-isakmp dynamic RVPN-MAP
crypto map DIV-MAP 65535 ipsec-isakmp dynamic RVPN-MAP
clear crypto isa sa
clear crypto ipsec sa
Regards,
Wajih
07-27-2011 04:57 AM
I have tried this. Now it encrypted to 18 packets then it is not getting increased. My issue is that I am not able to ping any hosts from one site to other sites. When I debug the icmp it only receives the request for ping both the sides but no reply.
ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=45574 len=32
ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=45830 len=32
ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=46086 len=32
ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=46342 len=32
ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=46598 len=32
The Head office network si 192.168.35.0 and branch office network is 192.168.1.0
Can you please help me how to fix it to make both the centers connect to each other.
07-27-2011 05:20 AM
Hi Rajesh,
Could you please provide full configuration on both ASA?
Regards,
Wajih
07-27-2011 05:56 AM
Hi,
I have attached the configuration with the ticket for both asa. Now I could see that the both the ASAs are allowing packets to outside. But i am not able to pint any of the internal devices.
07-27-2011 07:42 AM
Hi Rajesh,
I had a look at your configuration and found access-group applied on outside interface named "OUT_ACL " but I cannot find the access-lists rules in the provided configuration.
Anyway, you can add the following command to allow for VPN traffic to pass through firewalls:
sysopt connection permit-vpn
This command allows packets from an IPsec tunnel and their payloads to bypass interface ACLs on the security appliance.
Regards,
Wajih
07-27-2011 08:00 AM
Hi Wajih,
I thank you so much for your assistance. I have given the command but still I am not able to ping. Now packets are getting encrypted and decrypted but not able to ping the hosts.
when I try to ping it gives
ASA1
Result of the command: "ping inside 192.168.1.100"
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.35.110, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA2
Result of the command: "ping inside 192.168.35.110"
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.35.110, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
By the way the OUT_ACLs are as below
access-list OUT_ACL extended permit ip any host Outside-Network
access-list OUT_ACL extended permit tcp any host OutsideWebAddress eq www
access-list OUT_ACL extended permit tcp any host OutsideWebAddress eq https
access-list OUT_ACL extended permit tcp any host OutsideMailAddress eq https
please help me
07-27-2011 08:14 AM
Hi Rajesh,
Kindly be advised that the ping from inside interface of ASA1 to inside interface of ASA2 is not allowed by default, please try to use hosts connected to inside interfaces, and let them ping each other.
If you insist to ping the inside interface, please use the following commands:
no management-access mgmt_if
management-access inside
This command allows management access to an interface other than the one from which you entered the security appliance when using IPSec VPN.
Regards,
Wajih
07-27-2011 08:31 AM
Hi Wajih,
Thank you for quick reaply. I didnt know that. My main issue is i am not able to ping form one pc from one site to pc on the other.
I am getting request when I debug the ICMP on both the asas but they are not sending reply.
Regards,
Rajesh
07-27-2011 09:07 AM
Hi Rajesh,
Please answer my following questions:
Are you able to ping the ASA inside interfaces from each host?
Please run the command "show route" and send me the outputs on each ASA?
Also please be advised that the following route commands are not configured in a proper way, the next-hop IP address should be the IP address of the device connected to outside interface of ASA, it is not recommended to configure the outside IP address as next-hop:
ASA1:
for example (ASA1(2.2.2.2)-------------(2.2.2.1)Router), the configuration should be:
route outside 0.0.0.0 0.0.0.0 2.2.2.1
route outside 192.168.1.0 255.255.255.0 2.2.2.1
The following configuration is wrong:
route outside 0.0.0.0 0.0.0.0 2.2.2.2
route outside 192.168.1.0 255.255.255.0 2.2.2.2
ASA2:
The same thing for ASA2, the following configuration is wrong:
route outside 0.0.0.0 0.0.0.0 1.1.1.1
route outside 192.168.35.0 255.255.255.0 1.1.1.1
Please fix them.
Regards,
Wajih
07-27-2011 09:54 AM
Hi Wajih,
That was setup properly I have changed my config as per my client security reaquest.I am posting the route info.
I am able to ping my asa interface from any device in the inside network. Even I am able to ping all the devices if I connect with VPN also. so there is no connectivity issues to asa gateway as for as I know.
C xx.xx.101.88 255.255.255.248 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 192.168.50.0 255.255.255.0 is directly connected, dmz
C 192.168.35.0 255.255.255.0 is directly connected, inside
S 192.168.1.0 255.255.255.0 [1/0] via xx.xx.101.89, outside
S* 0.0.0.0 0.0.0.0 [1/0] via xx.xx.101.89, outside
outside interface xx.xx.101.90
Regards,
Rajesh
07-27-2011 04:09 PM
Hi all,
Could some one help me on this. It is an urgent issue.. I dont know why we are not able to connect with each internal machines.
ISee the debug ICMP messages :
ASA1 :
ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=10253 len=32
ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=10509 len=32
ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=10765 len=32
ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=11021 len=32
ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=11277 len=32
ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=11533 len=32
ICMP echo request from outside:192.168.1.100 to inside:192.168.35.110 ID=512 seq=11789 len=32
ASA2 :
ICMP echo request from outside:192.168.35.110 to inside:192.168.1.100 ID=512 seq=10253 len=32
ICMP echo request from outside:192.168.35.110 to inside:192.168.1.100 ID=512 seq=10509 len=32
ICMP echo request from outside:192.168.35.110 to inside:192.168.1.100 ID=512 seq=10765 len=32
Both the ASAs are getting the request but no reply. Please hekp me.
Regards,
Rajesh.Yadla
07-28-2011 01:17 AM
Hi Rajesh,
Are you sure that the access list applied on inside interface is only the following ACL rule:
access-list IN_ACL extended permit ip any any
07-28-2011 01:22 AM
Hi Wajih,
Yes, I have given this accesslist because of this connection issues. I have given is both the ASAs internal interface.
its strage I have re-configured the ASA too still the same issue.
Regards,
Rajesh
07-28-2011 01:49 AM
Hi Rajesh,
We need to run some captures to let us understand what is going:
Step 1: Please run the following commands on both ASAs:
access-list capin extended permit icmp 192.168.35.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list capin extended permit icmp 192.168.1.0 255.255.255.0 192.168.35.0 255.255.255.0
capture capin access-list capin interface inside
Step 2: Run a ping request from host behind the firewall
Step3: run the following command on both ASA and provide me with the outputs:
show cap capin
Also please provide me with:
show crypto ipsec sa
Regards,
Wajih
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide