Unable to connect between remote site and remote access VPN

robin99 · ‎01-31-2013

I am having issue with network connectivity between remote access (RA) VPN users and remote site VPN hosts.

Topology is:

RA VPN laptop (192.168.200.3 /24) ---- internet ---- Head Office (ASA5505) -- LAN subnet 10.0.0.0 /24

SiteB (10.0.10.0 /24) ---- internet ----- Head Office (ASA5505) ---- LAN subnet 10.0.0.0 /24

From head office there is no issue communicating with RA VPN and siteB hosts but Site B hosts and RA VPN users can not communicate each other totally (ping failed too).

Site B is using Cisco 867 router with IPSEC VPN to the ASA5505 at head office. I have added the ACL on this router to access 192.168.200.x /24 for VPN traffic and exempt from NATing. When I enabled ' drop log' in the class-map in the Zone based firewall config, I could not see any ping packt comes in so I believe the issue is at ASA5505 config.

At ASA5505 I use split VPN tunnel ACL and have included the subnet for 10.0.10.0/24 as well as 192.168.200.0 /24. This split tunnel ACL are applied to both the IPSec VPN tunnel and also the RA VPN group policy. The ASA is using sw version 151-4.M5.

Has anyone of you know the solution or encounter same problem as me and willing to share the fix?

Thanks

Andrew Phirsov · ‎01-31-2013

Do you have same-security-traffic permit intra-interface enabled?

Does the crypto-map proxy-acl on site-to-site vpn config on ASA and 867 include traffic between 192.168.200.0/24 and 10.0.0.0/24?

Is everything correct with routing (does site b knows how to get to addresses, assigned to your ravpn clients, etc.)?

robin99 · ‎01-31-2013

thanks for asking.

I do have thse commands in ASA5505:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

The crypto map ACL in CISCO867:

access-list 100 permit ip 10.0.10.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 100 permit ip 10.0.10.0 0.0.0.255 192.168.200.0 0.0.0.255

the crypto ACL at ASA5505:

access-list nonat extended permit ip object HO-subnet object SiteB-subnet

access-list nonat extended permit ip object SiteB-subnet object VPN_Subnets

access-list nonat extended permit ip object VPN_Subnets object SiteB-subnet

!

object network SiteB-subnet

subnet 10.0.10.0 255.255.255.0

object network HO-subnet

subnet 10.0.0.0 255.255.255.0

object network VPN_Subnets

subnet 192.168.200.0 255.255.255.0

!

"Is everything correct with routing (does site b knows how to get to addresses, assigned to your ravpn clients, etc.)?"

On RA client, I did "route print" and I can see the route to the SiteB subnet is listed with ASA5505 IP default gateway.

But on CISCO867 the default route points to the dialer 1 interface (ADSL) without specific route to the RA VPN subnet (192,168.200.0/24).Does this mean the problem at SiteB routing to RA VPN subnet?

I did standard traceroute from CISCO867 to the RA VPN subnet and it goes to internet instead of VPN tunnel which was droped eventually

When I did extended traceroute on Cisco867 using source LAN int IP to the RA VPN client, i got no reply at all.

any idea how to move on? Thanks

Andrew Phirsov · ‎01-31-2013

Is there nat exception on 867 for corresponding vpn-traffic?

robin99 · ‎02-01-2013

Yes I have.

ip nat inside source route-map nonat interface Dialer1 overload

the route-map nonat has ACL 101 and ACL 101 has denied entries for local subnet to the VPN subnet.

robin99 · ‎02-01-2013

After I performed more testing I notice the packet was logged in ASA ASDM as follow:

3|Feb 01 2013 21:27:01|713902: Group = 203.100.100.100, IP = 203.100.100.100, QM FSM error (P2 struct &0xcaaf0780, mess id 0x2992331)!

3|Feb 01 2013 21:27:01|713902: Group = 203.100.100.100, IP = 203.100.100.100, Removing peer from correlator table failed, no match!

IP 203.100.100.100 is SiteB WAN IP.

WHat's the above error message means and how to prevent that?

Any idea? Thanks

robin99 · ‎02-01-2013

Finally I managed to fix the problem by changing the Crypto ACL at ASA to be exactly reverse from the 867 router. Thanks Andrew for trying to help and your input is much appreciated.