The tale of two IPSec Tunnels...

Ryan Fisher · ‎12-05-2013

I'm trying to set up an ipsec tunnel at a particular site, and I am just stumped at this point. I have two sites I'm working with, a test site on my bench and the other actual site at another location. Both are ASA 5510's, both are running ASA v8.2(5). The test site has a 3560 off of it, and the production site has a 3750 stack off it. I don't think that part should matter, though.

I used the wizard to create the ipsec configuration on both devices, test and prod, and used the same naming on both to help compare. The test site connects and I can ssh to the 3560 behind it just fine. The production site, however, cannot connect to that 3750 or ping it to save my life. I've poured through the configs on both, and although there are just a couple of differences, the two ASA's are pretty close in configs.

At first I thought it was an acl issue, but I've filtered the logs by syslog id 106023 to watch for denys by access group. When I try to connect to the 3750, I get absolutely no entry in the log that anything is being denied, so I figure that's not it.

Then I thought it may be a routing issue. The one difference between the two sites is that the test site is using eigrp to disperse routes between the asa and switch, while the production site is using static routes. But I also didn't think that would've mattered, because on the static route switch I even put a static route in there to the vpn network which didn't make a difference.

I've also run packet traces on the firewall when doing a ping, and on the test siteI see echo requests and replies. Oon the production site I only see requests, no replies. My encap counters don't increment during pings, but the decap counters do, which make sense.

Other things to note: The test site that works also has a site-to-site vpn up and runnning, so you'll see that in the config as well. Client is Mac OS X 10.6.8, using the Cisco IPSec Config.

I'm hoping someone can look at my configs and tell me if they see anything I'm missing on them that could help solve my problems. I'd appreciate it! Thanks

Test Site that works

Production Site that Doesn't

testasa01-5510# sh run

: Saved

:

ASA Version 8.2(5)

!

hostname testasa01-5510

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address <outsideif> 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.39.194.2 255.255.255.248

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

no ip address

management-only

!

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

access-list inside_access_in extended permit ip 10.39.0.0 255.255.0.0 any log disable

access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 172.16.139.0 255.255.255.240

access-list outside_cryptomap extended permit ip 10.39.0.0 255.255.0.0 10.0.0.0 255.0.0.0

access-list remoteaccess extended permit ip 172.16.139.0 255.255.255.240 any log disable

!

tcp-map WSOptions

tcp-options range 24 31 allow

!

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpn_ip_pool 172.16.139.0-172.16.139.10 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-713.bin

no asdm history enable

arp timeout 14400

global (outside) 100 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 100 10.39.0.0 255.255.0.0

access-group inside_access_in in interface inside

!

router eigrp 100

network 10.0.0.0 255.0.0.0

passive-interface default

no passive-interface inside

!

route outside 0.0.0.0 0.0.0.0 <outsideif> 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 10.0.0.0 255.0.0.0 management

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map1 1 match address outside_cryptomap

crypto map outside_map1 1 set pfs group1

crypto map outside_map1 1 set peer 209.242.145.200

crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map1 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map1 interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication crack

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 40

authentication crack

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto isakmp policy 70

authentication crack

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 90

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto isakmp policy 100

authentication crack

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 120

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp policy 130

authentication crack

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 150

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 170

authentication pre-share

encryption 3des

hash sha

group 1

lifetime 86400

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 60

console timeout 0

management-access inside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server <server> source inside

webvpn

group-policy GroupPolicy1 internal

group-policy GroupPolicy1 attributes

vpn-tunnel-protocol IPSec

group-policy RemoteAccess internal

group-policy RemoteAccess attributes

dns-server value 8.8.8.8

vpn-filter value remoteaccess

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteAccess_splitTunnelAcl

split-tunnel-all-dns disable

vlan none

tunnel-group RemoteAccess type remote-access

tunnel-group RemoteAccess general-attributes

address-pool vpn_ip_pool

default-group-policy RemoteAccess

tunnel-group RemoteAccess ipsec-attributes

pre-shared-key *****

tunnel-group 111.222.333.444 type ipsec-l2l

tunnel-group 111.222.333.444

general-attributes

default-group-policy GroupPolicy1

tunnel-group 111.222.333.444

ipsec-attributes

pre-shared-key *****

!

class-map WSOptions-class

match any

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

class WSOptions-class

set connection advanced-options WSOptions

policy-map type inspect ip-options ip-options-map

parameters

eool action allow

nop action allow

router-alert action allow

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

: end

mp01-5510asa# sh run

: Saved

:

ASA Version 8.2(5)

!

hostname mp01-5510asa

names

!

interface Ethernet0/0

nameif inside

security-level 100

ip address 10.29.194.2 255.255.255.252

!

interface Ethernet0/1

nameif dmz

security-level 50

ip address 172.16.29.1 255.255.255.0

!

interface Ethernet0/2

description

nameif backup

security-level 0

ip address <backupif> 255.255.255.252

!

interface Ethernet0/3

description

speed 100

duplex full

nameif outside

security-level 0

ip address <outsideif> 255.255.255.248

!

interface Management0/0

nameif management

security-level 100

ip address 10.29.199.11 255.255.255.0

management-only

!

banner login Authorized Use Only

boot system disk0:/asa825-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

object-group network DM_INLINE_NETWORK_1

network-object 10.29.1.0 255.255.255.0

network-object 10.29.15.0 255.255.255.0

network-object 10.29.199.0 255.255.255.0

network-object 10.29.200.0 255.255.255.0

network-object 10.29.31.0 255.255.255.0

access-list inside_access_in extended permit ip 10.29.0.0 255.255.0.0 any log warnings

access-list inside_access_in extended permit ip object-group DM_INLINE_NETWORK_1 any log warnings

access-list inside_access_in extended permit ip 192.168.29.0 255.255.255.0 any log warnings

access-list inside_access_in extended permit ip 10.29.32.0 255.255.255.0 any log warnings

access-list outside_access_in extended permit ip any host 50.59.30.116 log warnings

access-list RemoteAccess_splitTunnelAcl standard permit 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 10.0.0.0 255.0.0.0 10.254.29.0 255.255.255.0 log warnings

access-list remoteaccess extended permit ip 10.254.29.0 255.255.255.0 any log warnings

access-list RemoteAccess2_splitTunnelAcl standard permit 10.29.0.0 255.255.0.0

pager lines 24

logging enable

logging list acl-messages message 106023

logging buffered acl-messages

logging asdm acl-messages

mtu inside 1500

mtu dmz 1500

mtu backup 1500

mtu outside 1500

mtu management 1500

ip local pool vpn_ip_pool3 10.254.29.0-10.254.29.10 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645.bin

asdm history enable

arp timeout 14400

global (inside) 201 interface

global (dmz) 101 interface

global (backup) 101 interface

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 101 10.29.1.0 255.255.255.0

nat (inside) 101 10.29.15.0 255.255.255.0

nat (inside) 101 10.29.31.0 255.255.255.0

nat (inside) 101 10.29.32.0 255.255.255.0

nat (inside) 101 10.29.199.0 255.255.255.0

nat (inside) 101 10.29.200.0 255.255.255.0

nat (inside) 101 192.168.29.0 255.255.255.0

static (inside,outside) <outsideif> 10.29.15.10 netmask 255.255.255.255

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 50.59.30.113 1 track 1

route backup 0.0.0.0 0.0.0.0 205.179.122.165 254

route management 10.0.0.0 255.0.0.0 10.29.199.1 1

route inside 10.29.0.0 255.255.0.0 10.29.194.1 1

route inside 192.168.29.0 255.255.255.0 10.29.194.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

http server enable

http 10.0.0.0 255.0.0.0 management

http 10.0.0.0 255.0.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sla monitor 100

type echo protocol ipIcmpEcho 74.125.239.16 interface outside

num-packets 3

frequency 10

sla monitor schedule 100 life forever start-time now

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

!

track 1 rtr 100 reachability

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 inside

ssh 10.0.0.0 255.0.0.0 management

ssh timeout 60

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server 10.200.1.41 source inside

webvpn

group-policy RemoteAccess internal

group-policy RemoteAccess attributes

dns-server value 8.8.8.8

vpn-filter value remoteaccess

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value RemoteAccess_splitTunnelAcl

split-tunnel-all-dns disable

vlan none

tunnel-group RemoteAccess type remote-access

tunnel-group RemoteAccess general-attributes

address-pool vpn_ip_pool3

default-group-policy RemoteAccess

tunnel-group RemoteAccess ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

no active

destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

destination address email callhome@cisco.com

destination transport-method http

subscribe-to-alert-group diagnostic

subscribe-to-alert-group environment

subscribe-to-alert-group inventory periodic monthly

subscribe-to-alert-group configuration periodic monthly

subscribe-to-alert-group telemetry periodic daily

testasa01-5510# sh crypto ipsec sa

interface: outside

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>

local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

remote ident (addr/mask/prot/port): (172.16.139.1/255.255.255.255/0/0)

current_peer: <peer ip>, username: blah

dynamic allocated peer ip: 172.16.139.1

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291

path mtu 1500, ipsec overhead 82, media mtu 1500

current outbound spi: 0A7F396F

current inbound spi : E87AF806

inbound esp sas:

spi: 0xE87AF806 (3900372998)

transform: esp-aes esp-sha-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 3587

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x7FFFFFFF

outbound esp sas:

spi: 0x0A7F396F (176109935)

transform: esp-aes esp-sha-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 49152, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 3587

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

mp01-5510asa# sh crypto ipsec sa

interface: outside

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: <outsideif>

local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

remote ident (addr/mask/prot/port): (10.254.29.1/255.255.255.255/0/0)

current_peer: <peer ip>, username: blah

dynamic allocated peer ip: 10.254.29.1

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 51, #pkts decrypt: 51, #pkts verify: 51

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: <outsideif>/4500, remote crypto endpt.: <peer ip>/37291

path mtu 1500, ipsec overhead 82, media mtu 1500

current outbound spi: 096265D4

current inbound spi : F5E4780C

inbound esp sas:

spi: 0xF5E4780C (4125390860)

transform: esp-aes esp-sha-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 3576

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x001FFFFF 0xFFFFFFFF

outbound esp sas:

spi: 0x096265D4 (157443540)

transform: esp-aes esp-sha-hmac no compression

in use settings ={RA, Tunnel, NAT-T-Encaps, }

slot: 0, conn_id: 102400, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 3576

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

mvsheik123 · ‎12-06-2013

Config (non working site) looks fine(unless I missed something:)) . You may want to add :

access-list RemoteAccess_splitTunnelAcl standard permit 192.168.29.0 255.255.255.0

Try by taking out vpnfilter : vpn-filter value remoteaccess

To further t-shoot, try using packet tracer from ASA to the client...

https://supportforums.cisco.com/docs/DOC-5796

Thx

MS

Ryan Fisher · ‎12-06-2013

Thanks for the reply. I've finally figured it out after pulling almost all of my hair out.

I completely forgot about the Palo Alto firewall that's inline up there between the firewall and switch, and that was blocking the traffic because the ASA side was in an untrusted policy. Once I added the policy to trust the vpn network from the asa, it was working.

Geesh! Definitely a good lesson learned here!!

Thanks