Solved: Re: Troubleshooting and Logging

Remington · ‎01-12-2024

I am new to ASAs, I have an ASA 5516-X, and am trying to troubleshoot a VPN tunnel not coming up.

In ASDM, regardless of the logging level, I never see the remote tunnel IP. I have the same issue if I use debug crypto ikev1 on the CLI. However, if I use one of the other 28 VPN remote IPs I can see something about that connection. I have also used Packet Tracer to do several packet types from inside to outside with success. If it is actually leaving the ASA I am expecting to at least some kind of authentication error or something.

Rob Ingram · ‎01-12-2024

@Remington looks like a routing issue, as the ingress and egress interface is the inside interface, the egress should be the outside interface.

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside

Check your routing

Provide the crypto ACL, so we know what local/remote networks are.

View solution in original post

MHM Cisco World · ‎01-12-2024

Clear crypto ipsec inactive

Then check debug and log

MHM

Rob Ingram · ‎01-12-2024

@Remington is this a new VPN or was it previously working?

You need to generate interesting traffic from an IP address defined within the crypto ACL in order for the VPN to be established. Try pinging from a device behind the ASA to a device on the other side.

You can also run packet-tracer to simulate traffic - "packet-tracert input <interface name> tcp <src ip> 3000 <dst ip> 80" - run this twice and provide the output of the second packet-tracer.

From the CLI you can enable specific debugs for that peer - "debug crypto condition peer <peer ip>" and then "debug crypto isakmp" or "debug crypto ikev1" - provide the output for review.

Provide your ASA configuration for review

Remington · ‎01-12-2024

New VPN

packet-tracer input inside tcp 10.96.11.65 3000 10.11.96.1 80

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.245.245.1 using egress ifc inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any4 any4
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any4 any4
Additional Information:

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any4 any4
Additional Information:

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global_policy
class global-class
inspect http
service-policy global_policy global
Additional Information:

Phase: 12
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 15
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 16
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 17
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 18
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 19
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 876750989, packet dispatched to next module

Phase: 20
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.245.245.1 using egress ifc inside

Phase: 21
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 10.245.245.1 on interface inside
Adjacency :Active
MAC address 7486.0ba0.eedc hits 886837 reference 528

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

debug crypto condition peer *peer public IP*
debug crypto ikev1
No results

I am not sure what you are looking for with the config, but here are all the lines that reference the remote public IP.
Line 2445: crypto map outside_map 36 set peer *public peer*
Line 3174: group-policy GroupPolicy_*public peer* internal
Line 3175: group-policy GroupPolicy_*public peer* attributes
Line 3928: tunnel-group *public peer* type ipsec-l2l
Line 3929: tunnel-group *public peer* general-attributes
Line 3930: default-group-policy GroupPolicy_*public peer*
Line 3931: tunnel-group *public peer* ipsec-attributes

Rob Ingram · ‎01-12-2024

@Remington looks like a routing issue, as the ingress and egress interface is the inside interface, the egress should be the outside interface.

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside

Check your routing

Provide the crypto ACL, so we know what local/remote networks are.

Remington · ‎01-15-2024

I think I have the config you are looking for, if not please let me know. All the auth types are still in there from the wizard, I have not cleaned that up again. In regards to "output-interface: inside" I am having trouble finding this setting in ASDM.

crypto map outside_map 36 set peer *IP ADDRESS*
crypto map outside_map 36 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 36 set ikev2 ipsec-proposal AES192 AES 3DES DES ESP-AES-GCM-256-SHA ESP-AES256-SHA AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map buckeye_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map buckeye_map interface *ISP NAME*

access-list outside_cryptomap_39 extended permit ip object-group obj-Terminal_servers object-group obj-grp-*VENDOR*

nat (inside,outside) source static obj-Terminal_servers obj-Terminal_servers destination static obj-*VENDOR* obj-*VENDOR* no-proxy-arp route-lookup

MHM Cisco World · ‎01-15-2024

outside_map 36 <<- this need match address outside_cryptomap_39
I dont see it ?

NOTE:- dont worry about the Proposal both Peer will agree to accept only one

MHM

Remington · ‎01-15-2024

I saw this as well and it seemed off. I am unsure what menu or object is combining them. Below are all references to 36 and 39

Line 1788: access-list outside_cryptomap_39 extended permit ip object-group obj-Terminal_servers object-group obj-grp-*VENDOR*
Line 2447: crypto map outside_map 36 match address outside_cryptomap_39

Line 1536: access-list outside_cryptomap_36 extended permit ip object-group obj-Tun_*VENDOR2*_Src object-group obj-Tun_*VENDOR2*_Dst
Line 2440: crypto map outside_map 35 match address outside_cryptomap_36

MHM Cisco World · ‎01-15-2024

friend it hard to troublshouting the VPN via ASDM
can you share the config via CLI
thanks
MHM

Rob Ingram · ‎01-15-2024

@Remington the ASA appears to think the destination is via the "inside" interface, please provide your routing table "show route" from CLI and what networks are in object "obj-*VENDOR*"

Remington · ‎01-15-2024

When doing show route and searching for remote peer or remote host, there are 0 results for each IP. However, I do not see this information in the routing table for a different working VPN.

Rob Ingram · ‎01-15-2024

@Remington the egress interface should be the outside interface via the default route then. There does not appear to be a NAT rule that has been matched (in your packet-tracer output) that can override the routing. Is 10.11.96.1 definately the correct destination IP? What is the network in "obj-*VENDOR*" object?

MHM Cisco World · ‎01-12-2024

The traffic pass ACL multi time

There is issue in config

Share config let me check it

MHM

Remington · ‎01-15-2024

I posted some config in the last post, do you need more info?

Remington · ‎01-15-2024

I found the issue, there was a route for 10.0.0.0/8 for the inside interface that I missed and then mathed it as /16 not /8.

Thank you both for the help, its been a good learning experience for this new hardware and interface.