Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
859
Views
0
Helpful
2
Replies

VPN L2L tunnel up between ASA5505 ans Sonicwall but no traffic

S Kumar
Level 1
Level 1

‎01-18-2014 04:06 PM

We have a L2L VPN tunnel up between ASA5505 and Sonicwall but I can not ping cross the tunnel. ICMP is allowed on both sides.

I have access to ASA5505 (8.32-k8) but I dont have access for Sonicwall. I have various other L2L tunnels up and running so basic config and cryptopmap is configured correct.

Local has also been natted to a public IP(100.100.100.1), some VPN tunnels access it using public IP and some VPN tunnels access it using private IP.

I am able to see encaps and decaps is happening. Other party is seeing my packets and confirmed that packets are being sent back.

I have bounced the  tunnel. Cleared ARP and XLATE and I even reloaded ASA5505 but no help.

Here is the config in concern:

object-group network objLocalHost
network-object host 192.168.220.251

object-group network objRemoteHost
network-object host 10.0.70.3

access-list acl_map_56 extended permit ip object-group objLocalHost object-group objRemoteHost


nat (inside,any) source static objLocalHost objLocalHost destination static objRemoteHost objRemoteHost unidirectional

object network objLocalHost
nat (inside,outside) static 100.100.100.1 dns


crypto map mymap 56 match address acl_map_56
crypto map mymap 56 set peer 200.200.200.200
crypto map mymap 56 set transform-set ESP-3DES-SHA

tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 ipsec-attributes
pre-shared-key *****

ASA is sending ICMP request but not seeing any reply

asa5505# debug icmp trace 255

debug icmp trace enabled at level 255

ICMP echo request from inside:192.168.220.251 to outside:10.0.70.3 ID=512 seq=13328 len=32

ICMP echo request from inside:192.168.220.251 to outside:10.0.70.3 ID=512 seq=13584 len=32

ICMP echo request from inside:192.168.220.251 to outside:10.0.70.3 ID=512 seq=13840 len=32

I do not see hitcnt increasing with continous ping on.

evlabfw# sh access-list acl_map_56
  access-list acl_map_56 line 1 extended permit ip host 192.168.220.251 host 10.0.70.3 (hitcnt=8)

isakmp detail shows that tunnel is ACTIVE.

ASA5505# sh cry isakmp sa detail

IKE Peer: 200.200.200.200

Type    : L2L             Role    : initiator

Rekey   : no              State   : MM_ACTIVE

Encrypt : 3des            Hash    : SHA

Auth    : preshared       Lifetime: 86400

Lifetime Remaining: 71507

ipsec details shows that packet are being encaps and decaps

asa5505# sh cry ipsec sa peer 200.200.200.200 detail
peer address: 200.200.200.200
    Crypto map tag: mymap, seq num: 56, local addr: 100.100.100.100

      access-list acl_PiedMont extended permit ip host 192.168.220.251 host 10.0.70.3
      local ident (addr/mask/prot/port): (192.168.220.251/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.0.70.3/255.255.255.255/0/0)
      current_peer: 200.200.200.200

      #pkts encaps: 2284, #pkts encrypt: 2284, #pkts digest: 2284
      #pkts decaps: 2284, #pkts decrypt: 2284, #pkts verify: 2284
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2284, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts invalid pad (rcv): 0,
      #pkts invalid ip version (rcv): 0,
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 100.100.100.100/0, remote crypto endpt.: 200.200.200.200/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: DF580A74
      current inbound spi : 9E86360C

    inbound esp sas:
      spi: 0x9E86360C (2659595788)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8265728, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (4373865/16220)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xDF580A74 (3747089012)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8265728, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (4373865/16220)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Labels:
0 Helpful
2 Replies 2

S Kumar
Level 1
Level 1

‎01-18-2014 04:38 PM

I see following errors:

Jan 18 2014 07:45:54: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, QM FSM error (P2 struct &0xca8042d0, mess id 0xed2afa71)!

Jan 18 2014 07:45:54: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, Removing peer from correlator table failed, no match!

Jan 18 2014 07:46:29: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, QM FSM error (P2 struct &0xca8042d0, mess id 0x9e4dc491)!

Jan 18 2014 07:46:29: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, Removing peer from correlator table failed, no match!

Jan 18 2014 07:45:54: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, QM FSM error (P2 struct &0xca8042d0, mess id 0xed2afa71)!

Jan 18 2014 07:45:54: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, Removing peer from correlator table failed, no match!

Jan 18 2014 07:46:29: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, QM FSM error (P2 struct &0xca8042d0, mess id 0x9e4dc491)!

Jan 18 2014 07:46:29: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, Removing peer from correlator table failed, no match!

I also see on sys log server:

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.0.70.3 dst inside:192.168.220.251 (type 0, code 0) denied due to NAT reverse path failure

0 Helpful

S Kumar
Level 1
Level 1
In response to S Kumar

‎01-18-2014 05:21 PM

After doing some research I tried removing the keyword "unidirectional" and it worked.

Following command fixed the problem, in case someone else is wandering:

no nat (inside,any) source static objLocalHost objLocalHost destination static objRemoteHost objRemoteHost unidirectional

nat (inside,any) source static objLocalHost objLocalHost destination static objRemoteHost objRemoteHost

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents