Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
296
Views
0
Helpful
2
Replies

VPN not getting established

rajitoor55
Level 1
Level 1

‎07-31-2015 10:41 AM

Hi I want to establish a site-to site VPN between ASA & VMWare Vcloud which is not getting established. Below are some outputs.

I don't know what is happening here, debug crypto isakmp does not show anything as well. i have tried to generate traffic as well.

6 Jul 31 2015 10:35:11 302013 10.16.40.66 54508 192.168.0.6 80 Built outbound TCP connection 244154730 for outside:192.168.0.6/80 (192.168.0.6/80) to inside:10.16.40.66/54508 (X.X.X.135/54508)

 

traffic from inside is NAT'd to x.x.x.135 while the actual interface IP and VPN configuration is done for x.x.x.131

FW/act# packet-tracer input inside tcp 10.0.0.8 www 192.168.0.6 www d$

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff31ad44b0, priority=13, domain=capture, deny=false
        hits=964706265, user_data=0x7fff31766230, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2e6d45a0, priority=1, domain=permit, deny=false
        hits=8338632634, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.0.0     255.255.255.0   outside

Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 destination static CLOUD-PRIVATE CLOUD-PRIVATE no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.0.6/80 to 192.168.0.6/80

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip any object CLOUD-PRIVATE
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff39078980, priority=13, domain=permit, deny=false
        hits=175, user_data=0x7fff26dcfc00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 destination static CLOUD-PRIVATE CLOUD-PRIVATE no-proxy-arp route-lookup
Additional Information:
Static translate 10.0.0.8/80 to 10.0.0.8/80
 Forward Flow based lookup yields rule:
 in  id=0x7fff328bd9b0, priority=6, domain=nat, deny=false
        hits=2, user_data=0x7fff355ed5b0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=net-10.0.0.0-8, mask=255.0.0.0, port=0, tag=0
        dst ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=outside

Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2e110fc0, priority=1, domain=nat-per-session, deny=true
        hits=419704229, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2e6dd570, priority=0, domain=inspect-ip-options, deny=true
        hits=268406753, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 9
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff319b5bc0, priority=21, domain=lu, deny=true
        hits=68917269, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Phase: 10
Type: QOS
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
service-policy global_policy global
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff2ebbab30, priority=72, domain=qos-per-class, deny=false
        hits=249826386, user_data=0x7fff2ebba6a0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 11
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7fff3313de60, priority=70, domain=encrypt, deny=false
        hits=3, user_data=0x0, cs_id=0x7fff374f4650, reverse, flags=0x0, protocol=0
        src ip/id=net-10.0.0.0-8, mask=255.0.0.0, port=0, tag=0
        dst ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=outside

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

FW/act# packet-tracer input inside rawip 10.0.0.100 6 192.168.0.10 de$

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff31ad44b0, priority=13, domain=capture, deny=false
        hits=966923113, user_data=0x7fff31766230, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2e6d45a0, priority=1, domain=permit, deny=false
        hits=8339741044, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=inside, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.0.0     255.255.255.0   outside

Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_10.0.0.0_8 NETWORK_OBJ_10.0.0.0_8 destination static CLOUD-PRIVATE CLOUD-PRIVATE no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.0.10/0 to 192.168.0.10/0

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7fff2e6e0500, priority=500, domain=permit, deny=true
        hits=0, user_data=0x7, cs_id=0x0, reverse, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=inside, output_ifc=any

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Labels:
0 Helpful
2 Replies 2

Hitesh Vinzoda
Level 4
Level 4

‎07-31-2015 10:22 PM

Have you checked your Crypto ACL's.?

 

Thanks

Hitesh

0 Helpful

rajitoor55
Level 1
Level 1
In response to Hitesh Vinzoda

‎08-01-2015 01:06 AM

This is how the configuration looks like

 

object-group network group.internal-servers
 network-object object nt-network
object network nt-network
 subnet 10.220.0.0 255.255.255.0
 
object-group network group.external-servers
 network-object object VPN-network
object network VPN-network
subnet 172.27.222.0 255.255.255.0
 
object network PRIVATE
 subnet 192.168.0.0 255.255.255.0

ACL's

access-list outside_cryptomap extended permit ip object-group group.internal-servers object-group group.external-servers
access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.0.0.0 object PRIVATE

 

Crypto Map

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer Y.Y.Y.66
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 1 set security-association lifetime seconds 86400
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer X.X.X.40
crypto map outside_map 2 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 2 set security-association lifetime seconds 86400
crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set peer vpn-book-cci
crypto map outside_map 20 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 60 match address outside_60_cryptomap
crypto map outside_map 60 set peer se-vpn-ssc
crypto map outside_map 60 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 60 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside

It is x.x.x.40 that is failing

0 Helpful
Customers Also Viewed These Support Documents