Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1339
Views
0
Helpful
2
Replies

TCP over cisco ASA IPSEC tunnel broken pipe

Javier Tafalla
Level 1
Level 1

‎02-12-2016 04:03 AM - edited ‎02-21-2020 08:40 PM

Hi there!

i have a running VPN between a stonegate and a cisco ASA 5505 ..

tunnel is up and running , isakmp sa and ipsec established without any problem but i have a weird behavior inside the tunnel

my side is the cisco one running in 8.2, ipsec tunnel is not NAT-T but ip connectivity is natted due to network overlap.

my conf is as follows

interface Vlan1
description interfaz private
nameif inside
security-level 100
ip address X.X.X.X X.X.X.X

interface Vlan2
description interfaz PUBLIC
nameif outside
security-level 0
ip address X.X.X.X X.X.X.X

object-group network DESTINATION

network-object host X.X.X.X

access-list NAT extended permit ip NAT_RANGE object-group DESTINATION

access-list interna extended permit ip object-group INTERNAL_REAL_NET object-group DESTINATION

access-list outside_access_in extended permit ip any any

access-list inside_access_in extended permit ip any any

mtu inside 1500
mtu outside 1500

global (outside) 5 NAT_RANGE

nat (inside) 5 access-list INTERNAL_REAL_NET
access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

crypto map outside_map 20 match address new
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer STONEGATE_IP
crypto map outside_map 20 set transform-set myset
crypto map outside_map 20 set security-association lifetime seconds 7200

crypto map outside_map interface outside

crypto isakmp identity address
crypto isakmp enable outside

crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 1440

tunnel-group STONEGATE_IP type ipsec-l2l
tunnel-group STONEGATE_IPipsec-attributes
pre-shared-key *****
isakmp keepalive disable

class-map tcp_bypass
match access-list NAT

policy-map tcp_bypass_policy
class tcp_bypass
set connection advanced-options tcp-state-bypass

service-policy tcp_bypass_policy interface inside

so tunnel is up. and i am able to SSH remote hosts, but after authentication connection is closed

the "funny" thing is that ssh is working, i get ssh prompt, but as soon as i type the password i get a broken pipe .. randomly, sometimes ( few times ) it works but un the 99% it does not.

my ssh client debug dies here

debug2: channel 0: request shell confirm 1
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
packet_write_wait: Connection to UNKNOWN: Broken pipe

debuggin in the stone side we see there are a lot of drops due to "out of SYN" packets, and in my side i clearly see TCP timeouts regarding the connection ..

i have read that in some cisco hardware ssh behind a NAT does not work due to ToS packet change in ssh client, but i have also tried doing the ssh using proxycomand Nc trick but it does not work either ..

i did also tried to use tcp bypass for not inspecting packets but no luck. and i also tried changing the outside MTU just in case it was a fragmentation issue.

anyone knows if this is a 8.2 bug or i am doing something wrong in my configuration? or anyone has a clue?

thanks in advance.

Labels:
0 Helpful
2 Replies 2

Javier Tafalla
Level 1
Level 1

‎02-15-2016 12:53 AM

just as an update, the problem is not only with SSH is with all TCP traffic ..

UDP works 

0 Helpful

netops_cortera
Level 1
Level 1
In response to Javier Tafalla

‎07-06-2017 05:00 AM

Did you ever figure this out, I am having a similar problem which happens random, all TCP connections over a L2L just disconnect with broken pipe.

This is only happening between ASA and Checkpoint ASA to ASA is fine.

0 Helpful
Customers Also Viewed These Support Documents