Showing results for 
Search instead for 
Did you mean: 

TLS Server Hello reply lost(?) inside L2L VPN

Hello! I ran into an issue with client-server traffic over HTTPS which I`m trying to figure out for the past couple of days.

I have a server in the HQ providing services over HTTPS. The client initiates the TLS negotiation with TLS Client Hello and the packet makes it all the way to the server, which replies back to the client with a Server Hello. The TLS Server Hello reply is visible in a capture on the ASA before being encrypted, but for some reason it never makes it to the other side. screenshot of PCAP from both end of the tunnel attached. port and sequence numbers are off on the 2 end as they were taken in slightly different time, but pattern is the same. Client keeps sending TLS Client hello, but Server Hello never makes it make to Office site.

Anyone has any idea?

All other traffic is passing through the tunnel OK. First I thought it may be something with the inspection, but now I just don`t know. See config snippet from HQ side.


HQ_server <---> ASA5512 <-----s2s-vpn------->ASA5506<---->CLIENT



GigabitEthernet0/0 frontnet 0
Port-channel1.10 server 100

S* [1/0] via Z.Z.Z.Z, frontnet


crypto map frontnet_map 5 match address frontnet_cryptomap_4
crypto map frontnet_map 5 set pfs
crypto map frontnet_map 5 set peer X.X.X.X
crypto map frontnet_map 5 set ikev1 transform-set ESP-AES-128-SHA

group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-tunnel-protocol ikev1

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****

access-list frontnet_cryptomap_4 extended permit ip object-group DM_INLINE_NETWORK_8 object NW_VPN_OFFICE

nat (server,frontnet) source static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8 destination static NW_VPN_OFFICE NW_VPN_OFFICE no-proxy-arp route-lookup



class-map Firepower
match any
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ftp
inspect netbios
inspect ip-options
inspect pptp
inspect ipsec-pass-thru
inspect http
inspect sunrpc
inspect sqlnet
inspect icmp
inspect icmp error
class Firepower
sfr fail-open
class class-default
user-statistics accounting
service-policy global_policy global




Rising star



Content for Community-Ad