01-23-2014 02:50 PM
I am having a VPN issue between a ASA and a Fortigate.
I believe that the issue is on the Fortigate side, but some things on the ASA give me pause.
In my configuration traffic from the ASA (172.30.8.x) bound for 192.168.1.x or 192.168.2.x goes to the Fortigate via a ipsec VPN.
The inside network for the Fortigate is 192.168.1.x. It has a route to 192.168.2.x.
VPN traffic works as expected when communicating from 172.30.8.x to 192.168.1.x. No problems there. Traffic going to 192.168.2.x is dropped somewhere. I think this is a Fortigate issue, but I have a doubt because when I do a packet-trace the ASA reports a DROP via ACL, but I have no idea what ACL that is, perhaps implicit. I am including as much information as I have. Any help or suggestions are greatly appreciated.
Here is the relevant config. I have a remote access VPN to this network, that also works fine, I included that information, just in case it has some effect.
*********Config****************
name 192.168.1.0 remote-indiana-int
name 192.168.2.0 remote-ohio-int
name 19.51.34.99 remote-indiana-ext
name 172.30.8.0 remote-colo-int
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.1
vlan 88
nameif vlan88
security-level 60
ip address 172.30.8.1 255.255.255.0
object-group network remote-internal
network-object remote-indiana-int 255.255.255.0
network-object remote-ohio-int 255.255.255.0
access-list outside_vlan88_cryptomap extended permit ip remote-colo-int 255.255.255.0 object-group remote-internal
access-list vlan88_nat0_outbound extended permit ip remote-colo-int 255.255.255.0 object-group remote-internal
access-list vlan88_nat0_outbound extended permit ip object-group remote-internal remote-colo-int 255.255.255.0
access-list vlan88_nat0_outbound extended permit ip remote-colo-int 255.255.255.0 172.30.8.96 255.255.255.248
access-list vlan88_tunnel_splitTunnelAcl standard permit remote-colo-int 255.255.255.0
ip local pool vlan88_pool 172.30.8.97-172.30.8.102 mask 255.255.255.248
nat (vlan88) 0 access-list vlan88_nat0_outbound
nat (vlan88) 1 remote-colo-int 255.255.255.0
crypto ipsec transform-set fortinet esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES
-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_vlan88_cryptomap
crypto map outside_map 1 set peer remote-indiana-ext
crypto map outside_map 1 set transform-set fortinet
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
group-policy vlan88_tunnel internal
group-policy vlan88_tunnel attributes
dns-server value 198.153.192.40 198.153.194.40
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vlan88_tunnel_splitTunnelAcl
default-domain value eimagesolutions.com
tunnel-group 19.51.34.99 type ipsec-l2l
tunnel-group 19.51.34.99 ipsec-attributes
pre-shared-key *****
**********Packet Trace**********************
5520-01# packet-tracer input vlan88 icmp 172.30.8.55 8 0 192.168.2.2
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip vlan88 remote-colo-int 255.255.255.0 outside remote-ohio-int 255.255.255.0
NAT exempt
translate_hits = 1, untranslate_hits = 0
Additional Information:
Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (vlan88) 1 remote-colo-int 255.255.255.0
match ip vlan88 remote-colo-int 255.255.255.0 outside any
dynamic translation to pool 1 (200.200.200.200 [Interface PAT])
translate_hits = 3, untranslate_hits = 0
Additional Information:
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (vlan88) 1 remote-colo-int 255.255.255.0
match ip vlan88 remote-colo-int 255.255.255.0 outside any
dynamic translation to pool 1 (200.200.200.200 [Interface PAT])
translate_hits = 3, untranslate_hits = 0
Additional Information:
Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: vlan88
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
**********Log****************
5|Jan 23 2014|14:35:26|713119|||||Group = 19.51.34.99, IP = 19.51.34.99, PHASE 1 COMPLETED
6|Jan 23 2014|14:35:26|113009|||||AAA retrieved default group policy (DfltGrpPolicy) for user = 19.51.34.99
6|Jan 23 2014|14:35:26|713172|||||Group = 19.51.34.99, IP = 19.51.34.99, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
4|Jan 23 2014|14:35:26|113019|||||Group = 19.51.34.99, Username = 19.51.34.99, IP = remote-indiana-ext, Session disconnected. Session Type: IKE, Duration: 0h:10m:33s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service
5|Jan 23 2014|14:35:26|713259|||||Group = 19.51.34.99, IP = 19.51.34.99, Session is being torn down. Reason: Lost Service
3|Jan 23 2014|14:35:26|713902|||||Group = 19.51.34.99, IP = 19.51.34.99, Removing peer from correlator table failed, no match!
3|Jan 23 2014|14:35:26|713902|||||Group = 19.51.34.99, IP = 19.51.34.99, QM FSM error (P2 struct &0x6c372558, mess id 0x242c6faa)!
6|Jan 23 2014|14:34:54|302015|200.200.200.200|500|remote-indiana-ext|500|Built outbound UDP connection 71 for outside:remote-indiana-ext/500 (remote-indiana-ext/500) to identity:200.200.200.200/500 (200.200.200.200/500)
5|Jan 23 2014|14:34:54|713041|||||Group = 19.51.34.99, IP = 19.51.34.99, IKE Initiator: New Phase 2, Intf vlan75, IKE Peer 19.51.34.99 local Proxy Address 172.30.8.0, remote Proxy Address 192.168.2.0, Crypto map (outside_map)
*************FORTIGATE************************
config vpn ipsec phase1
edit "GW-FG-ASA"
set interface wan1
set dpd disable
set dhgrp 2
set proposal 3des-sha1
set keylife 86400
set remote-gw 200.200.200.200
set psksecret ENC ********
end
config vpn ipsec phase2
edit Tunnel-FG-ASA
set dhgrp 5
set keepalive enable
set phase1name GW-FG-ASA
set proposal 3des-sha1
set pfs disable
set replay disable
set keylife-type seconds
set keylifeseconds 86400
set src-addr-type subnet
set src-subnet 192.168.1.0 255.255.255.0
set dst-addr-type subnet
set dst-subnet 172.30.8.0 255.255.255.0
end
config firewall address
edit "LocalLAN"
set subnet 192.168.1.0 255.255.255.0
next
edit "colo_net"
set subnet 172.30.8.0 255.255.255.0
end
edit "ohio"
set subnet 192.168.2.0 255.255.255.0
end
config firewall policy
edit 1
set srcintf internal
set dstintf wan1
set srcaddr "LocalLAN ohio"
set dstaddr colo_net
set action ipsec
set inbound enable
set outbound enable
set natinbound disable
set natoutbound disable
set schedule always
set service ANY
set vpntunnel GW-FG-ASA
end
09-06-2016 08:47 PM
HI Guys,
I have faced a similar issue in the past and was able to find a solution for it.
I had an issue where i had 2 source subnets on the fortigate end and one on the ASA end.
I created multiple phase 2 on the fortigate side for a single Phase 1. In the quick mode selector in Phase 2 configuration i chose one source subnet(Fortigate side) and destination subnet(ASA side). And another phase 2 for 2nd source subnet and same destination.
On the ASA i created 2 different policies Access-list 10 one source(ASA) and destination 1(Foritgate)
and 2nd policy Access-list 20 one source(ASA) and destination 2 (Fortigate).
Then i added these 2 polices on a single Crypto map and called that on the interface and VPN worked successfully.
SInce then i have deployed this in many other sites and it works perfectly.
So instead of using a single Phase 2 use multiple. And same goes for the Security policies on ASA. Try it and let me know if it doesn't work.
Regards
Tanuj
Then i added these 2 polcies
04-22-2019 03:42 PM
I know this is old, but it helped me big time.
I had a VPN from an ASA 9.x to Fortigate 6.x
The ASA had a single subnet, and the Fortigate had 8 subnets.
I could connect to any subnet behind the fortigate fine, but the moment I tried to connect to a second one the first one stopped working.
Turns out all I needed to do was separate each subnet into a separate Phase 2 entry on the Fortigate. I did not need to make any ASA changes. All subnets work at the same time now.
09-06-2016 10:29 PM
As per packet tracer encrypt drops because of Phase 2 VPN is not up and as per below log remote end GW (here in this case fortigate) not have NAT-T enable and ASA has this by default so need to enable NAT-T on fortigate to resolve issue.
6|Jan 23 2014|14:35:26|713172|||||Group = 19.51.34.99, IP = 19.51.34.99, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide