Solved: Re: Site to Site VPN issue - Page 2

rajesh.yadla · ‎07-26-2011

Hi All,

I am trying to setup the site to site vpn from Head office to branch office. Head

office has ASA1 and branch office has ASA2. ASA1 has configured with remote VPn and

Site to site vpn. Remote VPN works fine. ASA2 has configured with only Site 2 site

VPN. Both the ASA are 5505.

Phase 1 is successfully completed and it shows MM_Active in both ASAs. But I am not able ping from one site pc to other site. if you see the results at the bottom it shows the head office ASA1 is able to decrypt the packets but not able to encrypt.

branch office ASA2 is able encryp the packets but not able to decrypt.

When I tried for packet tracer the packet dropped saysing VPN lookup. I have attached it with the case.

Could some one help me on this.

ASA1

route x.x..1.0 255.255.255.0 [1/0] via Outside-Network, outside

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

crypto map DIV-MAP 10 ipsec-isakmp dynamic RVPN-MAP

crypto dynamic-map IPSEC-VPN 10 set transform-set esp-3des esp-sha-hmac

crypto dynamic-map IPSEC-VPN 10 set reverse-route

crypto map DIV-MAP 20 match address S2S

crypto map DIV-MAP 20 set peer 2.2.2.2

crypto map DIV-MAP 20 set transform-set esp-3des esp-sha-hmac

IKE Peer: 2.2.2.2

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

Crypto map tag: RVPN-MAP, seq num: 10, local addr: Outside-Network

local ident (addr/mask/prot/port): (x.x.100.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (x.x.1.0/255.255.255.0/0/0)

current_peer: 2.2.2.2

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 89, #pkts decrypt: 89, #pkts verify: 89

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: Outside-Network, remote crypto endpt.:2.2.2.2

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: AC93D2BC

inbound esp sas:

spi: 0xE2A3F913 (3802396947)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 263, crypto-map: RVPN-MAP

ASA2:

route x.x.100.0 255.255.255.0 [1/0] via Outside-Network, outside

tunnel-group 1.1.1.1 type ipsec-l2l

tunnel-group 1.1.1.1 ipsec-attributes

crypto map DIV-MAP 10 ipsec-isakmp dynamic RVPN-MAP

crypto dynamic-map IPSEC-VPN 10 set transform-set esp-3des esp-sha-hmac

crypto dynamic-map IPSEC-VPN 10 set reverse-route

crypto map DIV-MAP 20 match address S2S

crypto map DIV-MAP 20 set peer 1.1.1.1

crypto map DIV-MAP 20 set transform-set esp-3des esp-sha-hmac

IKE Peer: 1.1.1.1

Type : L2L Role : Initiator

Rekey : no State : MM_ACTIVE Crypto map tag: S-MAP, seq num:

1, local addr: 99.76.209.61

local ident (addr/mask/prot/port): (x.x.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (x.x.100.0/255.255.255.0/0/0)

current_peer: 1.1.1.1

#pkts encaps: 89, #pkts encrypt: 89, #pkts digest: 89

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 89, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: E2A3F913

inbound esp sas:

spi: 0xAC93D2BC (2895368892)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 198, crypto-map: S-MAP

sa timing: remaining key lifetime (kB/sec): (4275000/26421)

IV size: 8 bytes

replay detection support: Y

outbound esp sas:

spi: 0xE2A3F913 (3802396947)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

slot: 0, conn_id: 198, crypto-map: S-MAP

sa timing: remaining key lifetime (kB/sec): (4274992/26421)

rajesh.yadla · ‎07-28-2011

Hi Wajih,

Thanks for your reply.

When i try for the above accesslist it gives the below error on both asas

ERROR: Capture does not exist

Cry ipsec SA

ASA1

Crypto map tag: DIV-MAP, seq num: 20, local addr: Outside-Network

access-list S2S permit ip 192.168.35.0 255.255.255.0 192.168.1.0 255.255.255.0

local ident (addr/mask/prot/port): (192.168.35.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

current_peer: xx.xx.209.61

#pkts encaps: 6230, #pkts encrypt: 6233, #pkts digest: 6233

#pkts decaps: 13733, #pkts decrypt: 13733, #pkts verify: 13733

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 6230, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 3, #pre-frag failures: 0, #fragments created: 6

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 6

#send errors: 0, #recv errors: 0

local crypto endpt.: Outside-Network, remote crypto endpt.: xx.xx.209.61

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 056E4488

inbound esp sas:

spi: 0x254F024C (625934924)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

ASA 2

Crypto map tag: DIV-MAP, seq num: 20, local addr: Outside-Network

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.35.0/255.255.255.0/0/0)

current_peer: xx.xx.101.90

#pkts encaps: 13739, #pkts encrypt: 13739, #pkts digest: 6233

#pkts decaps: 6233, #pkts decrypt: 6233, #pkts verify: 13733

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 6230, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 3, #pre-frag failures: 0, #fragments created: 6

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 6

#send errors: 0, #recv errors: 0

local crypto endpt.: Outside-Network, remote crypto endpt.: xx.xx.101.90

path mtu 1500, ipsec overhead 58, media mtu 1500

current outbound spi: 056E4488

inbound esp sas:

spi: 0x254F024C (625934924)

transform: esp-3des esp-sha-hmac none

in use settings ={L2L, Tunnel, }

walsaid · ‎07-28-2011

Hi Rajesh,

It seems you forgot to enter this command:

capture capin access-list capin interface inside

Regards,

Wajih

rajesh.yadla · ‎07-28-2011

Hi Wajih,

Sorry , That was my Bad... Here is the result :

ASA1

1: 07:07:17.799275 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   2: 07:07:23.298858 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   3: 07:07:28.797947 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   4: 07:07:34.297027 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   5: 07:07:39.796620 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   6: 07:07:45.296249 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   7: 07:07:50.795292 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   8: 07:07:56.294921 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   9: 07:08:01.794499 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
10: 07:08:07.293594 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
11: 07:08:12.792653 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
12: 07:08:18.292785 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
13: 07:08:23.791340 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
14: 07:08:29.291458 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
15: 07:08:34.790501 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request

=================================================================
ASA2

1: 01:47:14.927884 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   2: 01:47:20.170614 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   3: 01:47:25.670039 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   4: 01:47:31.169607 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   5: 01:47:36.669032 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   6: 01:47:42.168524 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   7: 01:47:47.668025 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   8: 01:47:53.167548 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   9: 01:47:58.666972 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
10: 01:48:04.166495 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
11: 01:48:09.665950 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
12: 01:48:15.165488 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
13: 01:48:20.664943 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
14: 01:48:26.164404 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
15: 01:48:31.663875 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request

=================================================================
ASA2

1: 01:47:14.927884 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   2: 01:47:20.170614 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   3: 01:47:25.670039 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   4: 01:47:31.169607 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   5: 01:47:36.669032 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   6: 01:47:42.168524 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   7: 01:47:47.668025 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   8: 01:47:53.167548 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
   9: 01:47:58.666972 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
10: 01:48:04.166495 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
11: 01:48:09.665950 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
12: 01:48:15.165488 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
13: 01:48:20.664943 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
14: 01:48:26.164404 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
15: 01:48:31.663875 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
16: 01:48:37.163413 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
17: 01:48:42.662868 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
18: 01:48:48.162390 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
19: 01:48:53.661846 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
20: 01:48:59.161368 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
21: 01:49:04.660793 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
22: 01:49:10.160361 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
23: 01:49:15.659755 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
24: 01:49:21.159308 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
25: 01:49:26.658794 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
26: 01:49:32.158301 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
27: 01:49:37.657696 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
28: 01:49:43.157371 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
29: 01:49:48.682078 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request
30: 01:49:54.156257 802.1Q vlan#1 P0 192.168.1.100 > 192.168.35.110: icmp: echo request

walsaid · ‎07-28-2011

Hi Rajesh,

I understand now what is going on, there is no issue with ASA or VPN, they are fine. Because the echo request get out of the firewall and the firewall didn't receive a reply.Is there any router behind the firewall or L3 switch? If yes you have to add static route on it for subnet 192.168.35.0/24 at site1 and 192.168.1.0/24 at site 2 the next-hop should be the inside interface of the firewall.

Regards,

Wajih

rajesh.yadla · ‎07-28-2011

Hi Wajih,

Thank you so much for all your help and assistance. I really appreciate your support resolving this issue.

Issue has been resolved.

It was the issue with Route in the router and we have made it correct and every thing seems to be workng fine.

Once again thank you very much... :-)

Regards,

Rajesh

walsaid · ‎07-28-2011

Hi Rajesh,

I happy to hear that it is working.

Thanks for the rating.

Regards,

Wajih