01-12-2024 12:54 PM
I am new to ASAs, I have an ASA 5516-X, and am trying to troubleshoot a VPN tunnel not coming up.
In ASDM, regardless of the logging level, I never see the remote tunnel IP. I have the same issue if I use debug crypto ikev1 on the CLI. However, if I use one of the other 28 VPN remote IPs I can see something about that connection. I have also used Packet Tracer to do several packet types from inside to outside with success. If it is actually leaving the ASA I am expecting to at least some kind of authentication error or something.
Solved! Go to Solution.
01-12-2024 01:36 PM
@Remington looks like a routing issue, as the ingress and egress interface is the inside interface, the egress should be the outside interface.
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
Check your routing
Provide the crypto ACL, so we know what local/remote networks are.
01-12-2024 01:04 PM
Clear crypto ipsec inactive
Then check debug and log
MHM
01-12-2024 01:05 PM
@Remington is this a new VPN or was it previously working?
You need to generate interesting traffic from an IP address defined within the crypto ACL in order for the VPN to be established. Try pinging from a device behind the ASA to a device on the other side.
You can also run packet-tracer to simulate traffic - "packet-tracert input <interface name> tcp <src ip> 3000 <dst ip> 80" - run this twice and provide the output of the second packet-tracer.
From the CLI you can enable specific debugs for that peer - "debug crypto condition peer <peer ip>" and then "debug crypto isakmp" or "debug crypto ikev1" - provide the output for review.
Provide your ASA configuration for review
01-12-2024 01:30 PM
New VPN
packet-tracer input inside tcp 10.96.11.65 3000 10.11.96.1 80
Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.245.245.1 using egress ifc inside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any4 any4
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any4 any4
Additional Information:
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any4 any4
Additional Information:
Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map global-class
match default-inspection-traffic
policy-map global_policy
class global-class
inspect http
service-policy global_policy global
Additional Information:
Phase: 12
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 14
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 15
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 16
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 17
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 18
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 19
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 876750989, packet dispatched to next module
Phase: 20
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.245.245.1 using egress ifc inside
Phase: 21
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 10.245.245.1 on interface inside
Adjacency :Active
MAC address 7486.0ba0.eedc hits 886837 reference 528
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
debug crypto condition peer *peer public IP*
debug crypto ikev1
No results
I am not sure what you are looking for with the config, but here are all the lines that reference the remote public IP.
Line 2445: crypto map outside_map 36 set peer *public peer*
Line 3174: group-policy GroupPolicy_*public peer* internal
Line 3175: group-policy GroupPolicy_*public peer* attributes
Line 3928: tunnel-group *public peer* type ipsec-l2l
Line 3929: tunnel-group *public peer* general-attributes
Line 3930: default-group-policy GroupPolicy_*public peer*
Line 3931: tunnel-group *public peer* ipsec-attributes
01-12-2024 01:36 PM
@Remington looks like a routing issue, as the ingress and egress interface is the inside interface, the egress should be the outside interface.
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
Check your routing
Provide the crypto ACL, so we know what local/remote networks are.
01-15-2024 06:50 AM
I think I have the config you are looking for, if not please let me know. All the auth types are still in there from the wizard, I have not cleaned that up again. In regards to "output-interface: inside" I am having trouble finding this setting in ASDM.
crypto map outside_map 36 set peer *IP ADDRESS*
crypto map outside_map 36 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 36 set ikev2 ipsec-proposal AES192 AES 3DES DES ESP-AES-GCM-256-SHA ESP-AES256-SHA AES256
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map buckeye_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map buckeye_map interface *ISP NAME*
access-list outside_cryptomap_39 extended permit ip object-group obj-Terminal_servers object-group obj-grp-*VENDOR*
nat (inside,outside) source static obj-Terminal_servers obj-Terminal_servers destination static obj-*VENDOR* obj-*VENDOR* no-proxy-arp route-lookup
01-15-2024 06:52 AM - edited 01-15-2024 06:53 AM
outside_map 36 <<- this need match address outside_cryptomap_39
I dont see it ?
NOTE:- dont worry about the Proposal both Peer will agree to accept only one
MHM
01-15-2024 07:00 AM
I saw this as well and it seemed off. I am unsure what menu or object is combining them. Below are all references to 36 and 39
Line 1788: access-list outside_cryptomap_39 extended permit ip object-group obj-Terminal_servers object-group obj-grp-*VENDOR*
Line 2447: crypto map outside_map 36 match address outside_cryptomap_39
Line 1536: access-list outside_cryptomap_36 extended permit ip object-group obj-Tun_*VENDOR2*_Src object-group obj-Tun_*VENDOR2*_Dst
Line 2440: crypto map outside_map 35 match address outside_cryptomap_36
01-15-2024 07:20 AM
friend it hard to troublshouting the VPN via ASDM
can you share the config via CLI
thanks
MHM
01-15-2024 06:56 AM
@Remington the ASA appears to think the destination is via the "inside" interface, please provide your routing table "show route" from CLI and what networks are in object "obj-*VENDOR*"
01-15-2024 07:07 AM
When doing show route and searching for remote peer or remote host, there are 0 results for each IP. However, I do not see this information in the routing table for a different working VPN.
01-15-2024 07:17 AM
@Remington the egress interface should be the outside interface via the default route then. There does not appear to be a NAT rule that has been matched (in your packet-tracer output) that can override the routing. Is 10.11.96.1 definately the correct destination IP? What is the network in "obj-*VENDOR*" object?
01-12-2024 01:40 PM
The traffic pass ACL multi time
There is issue in config
Share config let me check it
MHM
01-15-2024 06:50 AM
I posted some config in the last post, do you need more info?
01-15-2024 09:53 AM
I found the issue, there was a route for 10.0.0.0/8 for the inside interface that I missed and then mathed it as /16 not /8.
Thank you both for the help, its been a good learning experience for this new hardware and interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide