Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
301
Views
11
Helpful
5
Replies

Site to Site VPN only showing traffic in 1 direction

fosterg_mendo
Level 1
Level 1

‎07-25-2016 04:40 PM

I have a secure dept separated from the main LAN by an ASA  5520.
They have 2 satellite offices in facilities on our WAN.
To maintain separation, both offices use an RV042 to VPN back to the main office.  Remote_Office_1 works, 2 doesn't

The closest matches I've found while searching all mentioned NAT exemptions, but those are already in place for both remote offices.

"show ipsec sa" shows both tunnels connecting.  The tunnel for Remote_Office_2 only registers incoming traffic, no returns.

Trace to Remote_Office_1 shows ASA & RV042.  Trace to Remote_Office_2 fails at ASA.

Packet Tracer shows a DROP on either step 10 or 11

#show name | inc Remote
name 192.168.201.0 Remote_Office_1
name 192.168.202.0 Remote_Office_2


# packet-tracer input Secure_Dept rawip 192.168.101.1 0 192.168.202.1 detail
! Note: 101.1 is l3 switch behind ASA


>>1st time:

Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xce6a8fd8, priority=70, domain=encrypt, deny=false
        hits=19681, user_data=0x0, cs_id=0xce689438, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=Remote_Office_2, mask=255.255.255.192, port=0, dscp=0x0

>>2nd onward:

Phase: 10
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xce2316c8, priority=70, domain=encrypt, deny=false
        hits=0, user_data=0x14ad054, cs_id=0xce689438, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=Remote_Office_2, mask=255.255.255.192, port=0, dscp=0x0

Phase: 11
Type: ACCESS-LIST
Subtype: ipsec-user
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0xce5eab50, priority=69, domain=ipsec-user, deny=true
        hits=0, user_data=0xce231748, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=Remote_Office_2, mask=255.255.255.192, port=0, dscp=0x0

Result:
input-interface: Secure_Dept
input-status: up
input-line-status: up
output-interface: Primary_LAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Edit (2016-07-27):

Removed problem VPN from ASA, disabled on RV02.  Expanded far end network from /26 to /24 despite there only being 2 PC's onsite.  Recreated VPN on ASA, same procedure as first time, except for the change in netmask.

Now it works.  Not sure what made the difference.

Suggestions have been great, but none was really the "Solution."  Is there another way to mark an issue as "Solved?"

Labels:
0 Helpful
5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

‎07-26-2016 01:36 AM

Check that a route exists for 192.168.202.0/24 on the ASA out the interface doing the crypto.

Check the encryption domains on the ASA are specific correctly. You have already stated you believe the NAT to be correct.

The issue will almost certainly be on the ASA.

fosterg_mendo
Level 1
Level 1
In response to Philip D'Ath

‎07-26-2016 10:37 AM

Given the nature of the problem I've checked the routes several times.  Aside from the local ranges everything is routed to or core router via the Main_LAN ("external") interface via 0/0 route or "last resort."  Rechecked before posting & neither remote site overlaps with any of the local ranges.

The encryption domain on the ASA was the mirror of the the other end.

Really did seem like it should have been one of those.  I've checked both repeatedly & probably will check them again several more times before sorting this out.

I appreciate the additional eyes.

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to fosterg_mendo

‎07-26-2016 12:36 PM

Try clearing the SA for the VPN not working properly.  What software version are you running on your 5520?

fosterg_mendo
Level 1
Level 1
In response to Philip D'Ath

‎07-26-2016 02:12 PM

Had tried clearing SA before, but was totally game.  However, due to request to be ready to just route this office on our wan without VPN I had just torn the whole thing down.

Since no one is in that office, there was time for more troubleshooting.  I widened the subnet mask from /26 to /24 & rebuilt so there was something to test against.

This time out it appears to be working.  The mask change shouldn't have done the trick, since the other remote office is /27.  Aside from that change, there shouldn't be any differences.

The ASA is running 8.0(4)28, for what it's worth.

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-26-2016 07:33 PM

Hi, 

Could you share the output of show run all sysopt and show run all group-policy ?

Are you using any VPN filters under group-policy ?

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Customers Also Viewed These Support Documents