VPN connectivity stop intermittently

dabur10376004 · ‎10-29-2014

Hi, We have 3-4 location which are given below. 1. HO = LAN Segment 172.26.4.0/22 & 172.26.150.0 2. Jabel Ali at Dubai LAN Segment 10.120.1.0/24 3. RAK at Dubai LAN Segment 10.110.1.0/24 4. US  LAN Segment 10.120.8.0/23 & 192.168.0.0/24 HO end Cisco ASA 5515X ios ver 8.6(1)2 Jabel Ali end Cisco ASA 5510 ios ver 7.0(8) RAK end Cisco ASA 5510 ios ver 8.0(2) US end Cisco ASA 5512-x ios ver 9.1(2) HO is central site/HUB site & all other location is connected as a spoke location. All locations are connected to HO via Site to site VPN over internet. We are able to ping from Jabel ali to RAK via HO We are able to ping from Jabel ali to egypt via HO We are able to ping from Jabel ali to US via HO Also able to ping following HO to Jabel Ali, HO to RAK, & HO to US. Problem: Some times we are not able to ping from Jabel ali to RAK via HO or from Jabel ali to US via HO means ping is not working between 10.120.1.1 to 10.110.1.1 or 10.120.1.1 to 10.120.8.1/192.168.0.1 but HO to Jabel ali & HO to RAK & HO to US is working on same time. For resolving to these issue, we run packet-tracer on HO end ASA then communication starts between Jabel ali to RAK or jabel ali to US. packet-tracer input inside tcp 10.120.1.10 80 10.110.1.10 80 Packet tracer log is attached Kindly suggest to resolve the issue. Please find the packet tracer output: RELIANCE-ASA# packet-tracer input inside tcp 10.120.1.10 80 10.110.1.10 80 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: <--- More ---> Phase: 4 Type: IDS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static obj-10.120.1.0 obj-10.120.1.0 destination static obj-10.110.1.0 obj-10.110.1.0 no-proxy-arp route-lookup Additional Information: Static translate 10.120.1.10/80 to 10.120.1.10/80 Phase: 6 Type: VPN Subtype: encrypt Result: DROP Config: Additional Information: Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule RELIANCE-ASA# RELIANCE-ASA# packet-tracer input inside tcp 10.120.1.10 80 10.110.1.10 80 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 3 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 4 Type: IDS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source static obj-10.120.1.0 obj-10.120.1.0 destination static obj-10.110.1.0 obj-10.110.1.0 no-proxy-arp route-lookup Additional Information: Static translate 10.120.1.10/80 to 10.120.1.10/80 Phase: 6 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 7 <--- More ---> Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 8 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 429362154, packet dispatched to next module Result: input-interface: inside input-status: up <--- More ---> input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow RELIANCE-ASA# RELIANCE-ASA#

dabur10376004 · ‎10-30-2014

kindly helpus to resolve the issue.

Aref Alsouqi · ‎10-30-2014

Hi Dabur,

If you can, please post your "sh run cry" and "sh run access-l" of the crypto map for review.

Regards,

Aref