cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4390
Views
0
Helpful
6
Replies

Tunnel traffic only goes in one direction

michaeldodd98
Level 1
Level 1

I have established the VPN tunnel, verified with show isakmp and ipsec commands as well as watching the real time log in ASDM.  The catch is the VPN tunnel can only be initiated from the remote end (Fortigate VPN Firewall) and I can ping from a remote computer, see the ICMP packet enter the tunnel, and see in the log on the ASA the ICMP with the remote source IP and no echo reply is sent back over the tunnel.  If I try to ping from behind the local ASA and the tunnel isn't up, it never goes up.  I am not sure what the problem is. I setup a different tunnel to my home ASA to ASA and everything works fine between the local ASA (192.168.150.1) and my home ASA (192.168.1.1).

I have been going through the "Most common L2L and Remote Access VPN" troubleshooting doc form Cisco and will turn on NAT-T on both ends, but what else do I need to do?

: Saved
:
ASA Version 8.2(1)
!
hostname <HIDDEN>
domain-name <HIDDEN>.com
enable password <HIDDEN> encrypted
passwd <HIDDEN> encrypted
names
dns-guard
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.150.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
banner motd  [WARNING]
banner motd  If you are not authorised to access this system exit immediately.
banner motd  Unauthorised access to this system is forbidden by  company policies, national, and

international laws.
banner motd  Unauthorised users are subject to criminal and civil  penalties as well as company

initiated disciplinary proceedings.
banner motd  By entry into this system you acknowledge that you are authorised to access it and

have the level of privilege at which you subsequently operate on this system.
banner motd  You consent by entry into this system to the monitoring of your activities.
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup outside
dns server-group DefaultDNS
name-server 4.2.2.1
name-server <hidden>
domain-name <hidden>.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service rdp tcp
description used for windows remote desktop
port-object eq 3389
object-group service vnc tcp
description used for vnc remote control software
port-object eq 5900
access-list outside_1_cryptomap extended permit ip 192.168.150.0 255.255.255.0 1.2.0.0

255.255.0.0
access-list outside_access_in extended permit icmp any any
access-list inside_nat0_outbound extended permit ip 192.168.150.0 255.255.255.0 1.2.0.0

255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0

255.255.255.0
access-list outside_2_cryptomap extended permit ip 192.168.150.0 255.255.255.0 192.168.1.0

255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.150.0 255.255.255.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http server idle-timeout 120
http 192.168.1.0 255.255.255.0 inside
http 192.168.150.0 255.255.255.0 inside
http 1.2.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 outside
http 192.168.200.0 255.255.255.0 inside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer <hiddenpublicip1>
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer <hiddenpublicip2>
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email <hidden>
subject-name CN=<hidden>
serial-number
ip-address 192.168.150.1
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 9f49814d
    3082026d 308201d6 a0030201 0202049f 49814d30 0d06092a 864886f7 0d010104
    0500307b 31173015 06035504 03130e49 6e656f73 2d44656c 61776172 65316030
    12060355 0405130b 4a4d5831 35303434 32394330 1a06092a 864886f7 0d010908
    130d3139 322e3136 382e3135 302e3130 2e06092a 864886f7 0d010902 1621496e
    656f732d 44656c61 77617265 2e496e65 6f732d44 656c6177 6172652e 636f6d30
    1e170d31 31303331 36323333 3730335a 170d3231 30333133 32333337 30335a30
    7b311730 15060355 0403130e 496e656f 732d4465 6c617761 72653160 30120603
    55040513 0b4a4d58 31353034 34323943 301a0609 2a864886 f70d0109 08130d31
    39322e31 36382e31 35302e31 302e0609 2a864886 f70d0109 02162149 6e656f73
    2d44656c 61776172 652e496e 656f732d 44656c61 77617265 2e636f6d 30819f30
    0d06092a 864886f7 0d010101 05000381 8d003081 89028181 008bc900 70d74224
    d5b0dd7f e3ee482d a236c04e 91f237f3 842198d3 30283a64 029d0ac3 19a40674
    dd5faa07 ff5cbd76 62183f13 7903bb92 cb69c600 c87fec4e 7c420f55 86b2c3e0
    fc948c5e b06e59ee dd9c1500 7578ef88 a06b3395 8f3040a0 71017df0 8e935f2f
    fbd83fa0 f7413498 bd36d95e dd00386e 4344f483 2b68174f 9d020301 0001300d
    06092a86 4886f70d 01010405 00038181 00275371 8660da69 ebcea01d 5fe969e8
    919d0b96 3044f6c6 0052a4cc 14c89ec4 6d89b2e3 05069550 84740f26 6a03f28c
    290cba8e 4d339abc a14db63e acc2e041 1a8fc569 fd3fd443 b9f73a6e 4e405cba
    a77a4613 5c4c2f76 c861476c d7f4a404 5456c296 964614c2 4e69d02f a8b30c8e
    845117de d21d7794 aaaf5866 160ee2bd de
  quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet 192.168.150.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 60
management-access inside
dhcpd address 192.168.150.100-192.168.150.131 inside
dhcpd dns 4.2.2.1 4.2.2.2 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.43.244.18 source outside prefer
webvpn
tunnel-group <hiddenpublicip1> type ipsec-l2l
tunnel-group <hiddenpublicip1> ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
tunnel-group <hiddenpublicip2> type ipsec-l2l
tunnel-group <hiddenpublicip2> ipsec-attributes
pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:34326277fd2eb3caaa97e939b52ce4f2
: end
no asdm history enable

6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

If you can establish another tunnel from the same ASA, I do not believe that it is issue with the ASA.

When you are trying to establish the VPN towards the Fortiget end, can you please share the output of :

show cry isa sa

show cry ipsec sa

You might want to run debug as well to further investigate the issue as this will provide us more details to see where exactly it's failing:

debug cry isa

debug cry ipsec

You've also disabled NAT-T on your crypto map towards the Fortigate: "crypto map outside_map 1 set nat-t-disable". Just want to confirm that there is no NAT/PAT device in between the 2 peers.

Thanks for your help.  There are no NAT devices between the endpoints (the ASA has NAT but I have exempted this traffic from it, don't think I would still need NAT-T).

Here are the results when I try to initiate the VPN from the ASA to the Fortigate, just sits there (if I initiated from the Fortigate it was be State:ACTIVE).

---------

sho crypto isakmp sa

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: x.x.x.x
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

----------

sho crypto ipsec sa

There are no ipsec sas

----------

debug crypto isakmp
HOSTNAME# debug crypto ipsec
HOSTNAME# Mar 20 20:14:43 [IKEv1]: IP = x.x.x.x, Removing peer from p
eer table failed, no match!
Mar 20 20:14:43 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntry

Mar 20 20:15:18 [IKEv1]: IP = x.x.x.x, Removing peer from peer table failed
, no match!
Mar 20 20:15:18 [IKEv1]: IP = x.x.x.x, Error: Unable to remove PeerTblEntr

From the ASA point of view, it has send the first message to Fortigate, and waiting for Fortigate to respond back, and at this stage, there is no reply from Fortigate.

You can see that from the message: MM_WAIT_MSG2, that means MM_WAIT_MSG1 has been sent towards the Fortigate, however, there is no further reply after that.

I would check if there is any firewall/ ACL, etc that blocks UDP/500 between the ASA and Fortigate, maybe more importantly, in the direction from ASA towards the Fortigate.

Since Fortigate is able to initiate the VPN, that means UDP/500 in the direction of Fortigate towards ASA is not blocked.

I had the person on site send me a picture of this new "cable modem" that COMCAST sent them, because she said she was going to bypass the ASA by plugging into one of the free ports on the cable modem...  as soon as she said that I knew we were not dealing with a regular old cable modem.  Turns out this SMC SMCD3G is a full on gateway with built in cable modem.  It has NAT, firewall, DHCP, a whole slew of things a regular cable modem wouldn't!

We were assured Comcast would send us just a cable modem, so frustrating!  So we are sending it back, to get a regular cable modem.

I think I know why the ASA to ASA tunnel works both ways, we had NAT-T enabled.  For the Fortigate it had NAT-T disabled.

I will let you all know once this gateway is replaced with a regular cable modem, I bet everything will work.

Did you end up resolving this issue?

Dear michaeldodd98 ,

 

If Message : MM_WAIT_MSG2 Means you have to check the Opposite end firewall ( no route towards your end firewall or ISAKMP is down or Not configure the ISAKMP properly ).

 

I have faced the same issue then i troubleshoot it & it's working fine .

 

I hope it will helpful for all!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: