Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1118
Views
45
Helpful
7
Replies

VPN - IPSec connectivity issues

BHconsultants88
Level 1
Level 1

‎02-21-2019 12:11 PM - edited ‎02-21-2020 09:34 PM

Hi friends, I hope someone can help with this, it's driving me up the wall.


Here's a summary:

Site A - 10.20.4.0 /24 - has a working VPN tunnel to Cisco ASA 

Site B - 192.168.142.0 /24 - has a working VPN tunnel to same Cisco ASA

 

Site A can ping Site B through both tunnels via the Cisco ASA

Site B can ping the Cisco ASA VPN endpoint but not Site A - I believe I have a hairpinning issue

 

It appears as though traffic is leaving Site B, hitting the outside Interface of the ASA then getting lost in a black hole somewhere. It points to an ACL issue but I cannot see any issues in the rules. I've attached the full ASA config and packet tracer results. Both tunnels are up so I know the VPN config is fine.

 

I would be hugely grateful if someone could spot something that I've obviously missed.

 

Many thanks in advance.

 

Labels:
Preview file
47 KB
Preview file
141 KB
7 Replies 7

Rob Ingram
VIP
VIP

‎02-21-2019 12:20 PM

Hi,
If I'm not mistaken those subnets are:-

object-group network Calverton-remote
network-object 10.20.4.0 255.255.255.0

object-group network formac-remote
network-object 192.168.142.0 255.255.255.0

You don't appear to have a no nat rule between those networks defined, as you do for other remote sites. I can't tell from the packet-tracer output, but you are probably natting the traffic. If you could define the no-nat rule and try again, if that doesn't work can you run packet-trace from the cli and uploda the full output

HTH

BHconsultants88
Level 1
Level 1
In response to Rob Ingram

‎02-21-2019 01:31 PM

Hi RJI

 

Yes you're correct about the subnets.


Would you mind highlighting the no NAT rule you're referring to for the other remote sites please?

 

Many thanks

B

Rob Ingram
VIP
VIP
In response to BHconsultants88

‎02-21-2019 01:40 PM

Hi,
This is from your existing configuration:-
"nat (outside,outside) source static formac-remote formac-remote destination static Sherwood-remote Sherwood-remote"

You'll need a similar nat entry using the calverton and formac objects (the ones I referenced above).

HTH

BHconsultants88
Level 1
Level 1
In response to Rob Ingram

‎02-21-2019 11:29 PM

Ok thanks for clarifying.

 

So to confirm, here are the current nat outside rules:

 

nat (outside,outside) source static DIGI_VPN_SITES DIGI_VPN_SITES destination static formac-remote formac-remote

nat (outside,outside) source static formac-remote formac-remote destination static DIGI_VPN_SITES DIGI_VPN_SITES

nat (outside,outside) source static formac-remote formac-remote destination static Sherwood-remote Sherwood-remote

nat (outside,outside) source dynamic Bevercotes-remote interface destination static obj-any_20 obj-any_20

nat (outside,outside) source dynamic Calverton-remote interface destination static obj-any_10 obj-any_10

 

The Calverton subnet is also included in the DIGI_VPN_SITES group. Would this rule be sufficient or should the object name only contain one subnet?

 

object-group network DIGI_VPN_SITES

network-object 10.20.3.0 255.255.255.0

network-object 10.20.4.0 255.255.255.0

network-object 10.20.12.0 255.255.255.0

network-object 10.20.5.0 255.255.255.0

 

object-group network formac-remote

network-object 192.168.142.0 255.255.255.0

 

object-group network Calverton-remote

network-object 10.20.4.0 255.255.255.0

BHconsultants88
Level 1
Level 1
In response to BHconsultants88

‎02-22-2019 12:41 AM

Here are the packet tracer results:

 

vpn# packet-tracer input outside icmp 192.168.142.25 0 0 10.20.4.10

 

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

MAC Access list

 

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (outside,outside) source static DIGI_VPN_SITES DIGI_VPN_SITES destination static formac-remote formac-remote

Additional Information:

NAT divert to egress interface outside

Untranslate 10.20.4.10/0 to 10.20.4.10/0

 

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group incoming-outside in interface outside

access-list incoming-outside extended permit icmp any any

Additional Information:

 

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (outside,outside) source static DIGI_VPN_SITES DIGI_VPN_SITES destination static formac-remote formac-remote

Additional Information:

Static translate 192.168.142.25/0 to 192.168.142.25/0

 

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 8

Type: VPN

Subtype: ipsec-tunnel-flow

Result: DROP

Config:

Additional Information:

 

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Deepak Kumar
VIP Alumni
VIP Alumni
In response to BHconsultants88

‎02-22-2019 12:49 AM

Hi,
Please check your ACL configuration. Your packet is getting drop at VPN interested ACL.

Regards,
Deepak Kumar
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

BHconsultants88
Level 1
Level 1
In response to Deepak Kumar

‎02-24-2019 12:29 PM

Thank you so much for the replies.

 

Unfortunately, I don't have full access on the ASA so I can't run certain commands. I will run the debugger and send pings in the morning and will feedback the results. Same applies to the 'show nat detail' command.

 

To confirm, yes I am pinging from the main ASA. I'm unable to specify a source, again perhaps due to my restricted permissions, but will attempt this tomorrow morning. I've also posted output of the 'show access-list formac' and 'show crypto ipsec sa peer 35.176.80.84' commands.

 

vpn# ping 10.20.4.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.20.4.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 50/56/60 ms

vpn# ping 10.20.4.1 ?

 

  data      specify data pattern

  repeat    specify repeat count

  size      specify datagram size

  timeout   specify timeout interval

 validate  validate reply data

  <cr>

 

vpn# ping 192.168.142.25

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.142.25, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

vpn# ping 192.168.142.25 ?

 

  data      specify data pattern

  repeat    specify repeat count

  size      specify datagram size

  timeout   specify timeout interval

  validate  validate reply data

  <cr>

 

========================================================================================================================= 

vpn# show access-list Formac

access-list Formac; 12 elements; name hash: 0x3a4a345c

access-list Formac line 1 extended permit ip object-group formac-local object-group formac-remote (hitcnt=694216) 0xf004809a

  access-list Formac line 1 extended permit ip 10.99.206.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=143867) 0x67f78194

  access-list Formac line 1 extended permit ip 10.99.240.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=0) 0x9e342d38

  access-list Formac line 1 extended permit ip 10.99.241.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=154897) 0x3a5d8483

  access-list Formac line 1 extended permit ip 10.99.242.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=51) 0x1f2df50c

  access-list Formac line 1 extended permit ip 10.99.243.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=0) 0x3089d4fd

  access-list Formac line 1 extended permit ip 10.1.0.0 255.255.0.0 192.168.142.0 255.255.255.0 (hitcnt=0) 0x973f8be3

  access-list Formac line 1 extended permit ip 10.2.0.0 255.255.0.0 192.168.142.0 255.255.255.0 (hitcnt=0) 0x890ab788

  access-list Formac line 1 extended permit ip 10.20.3.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=336) 0xb263d1ad

  access-list Formac line 1 extended permit ip 10.20.4.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=394454) 0x6d3eca4e

  access-list Formac line 1 extended permit ip 10.20.12.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=336) 0x6b37dd12

  access-list Formac line 1 extended permit ip 10.20.5.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=382) 0x77ea7571

access-list Formac line 2 extended permit ip any4 object-group formac-remote (hitcnt=184) 0x4661225b

  access-list Formac line 2 extended permit ip any4 192.168.142.0 255.255.255.0 (hitcnt=184) 0xc9b1302e

=========================================================================================================================

 

vpn# show crypto ipsec sa peer 35.176.80.84

peer address: 35.176.80.84

   Crypto map tag: external-vpns, seq num: 600, local addr: 195.12.22.33

 

      access-list Formac extended permit ip any 192.168.142.0 255.255.255.0

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.142.0/255.255.255.0/0/0)

      current_peer: 35.176.80.84

 

 

      #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14

      #pkts decaps: 202708, #pkts decrypt: 202708, #pkts verify: 202708

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #TFC rcvd: 0, #TFC sent: 0

      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

      #send errors: 0, #recv errors: 0

 

      local crypto endpt.: 195.12.22.33/4500, remote crypto endpt.: 35.176.80.84/4500

      path mtu 1500, ipsec overhead 82(52), media mtu 1500

      PMTU time remaining (sec): 0, DF policy: copy-df

      ICMP error validation: disabled, TFC packets: disabled

      current outbound spi: 2F61A8A2

      current inbound spi : E53C5820

 

    inbound esp sas:

      spi: 0xE53C5820 (3845937184)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, }

         slot: 0, conn_id: 221884416, crypto-map: external-vpns

         sa timing: remaining key lifetime (kB/sec): (4373827/2522)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x2F61A8A2 (794929314)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel,  NAT-T-Encaps, PFS Group 2, IKEv1, }

         slot: 0, conn_id: 221884416, crypto-map: external-vpns

         sa timing: remaining key lifetime (kB/sec): (4374000/2522)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

=========================================================================================================================

 

I agree with your suggestion and will remove that second ACL for formac. With regards to the formac-local and formac-remote ACLs, I inherited this configuration so I'm not fully certain of the reasons behind some of it but it seems a bit convaluted. There's also another group called 'DIGI_VPN_SITES'. This also contains Site A 10.20.4.0 /24 and allows access to Formac-Remote.

 

I'll send further results tomorrow.

 

Thanks

B

Customers Also Viewed These Support Documents