Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1103
Views
0
Helpful
4
Replies

VPN not initialising.. ASA 5505

Go to solution
bmcginn
Level 3
Level 3

‎05-27-2012 06:11 PM

Hi all,

I've run into an issue and I'm hoping one (or more!) of you have seen this before.

I've configured an ASA5505 to be  Lan to Lan VPN tunnel endpoint, peering with a linux box.  The ASA is full licensed so that side isn't an issue.

PROBLEM:

When the tunnel is initialised from the linux box everything comes up okay except the ASA isn't encapsulation any packets.  It is decrypted the packets received from the Linux box okay but no return traffic is being encrypted.

When the tunnel is initialised from the ASA, nothing happens.

After some troubleshooting I've found that the ACL defining interesting traffic nor the ACL defining NO_NAT aren't being hit at all.

ACL for NO_NAT:

access-list NO_NAT line 1 remark ACL USED TO DEFINE WHAT TRAFFIC NOT TO NAT OVER THE VPN

access-list NO_NAT line 2 extended permit ip host PAMS_SERVER object-group LINUX-BOXES 0xc736d5fb

access-list NO_NAT line 2 extended permit ip host PAMS_SERVER 10.11.228.0 255.255.255.0 (hitcnt=0)

ACL for Interesting traffic

access-list LNX_IPSEC; 2 elements; name hash: 0xda433bf

access-list LNX_IPSEC line 1 remark ACL USED TO DEFINE WHAT TRAFFIC TO ENCRYPT

access-list LNX_IPSEC line 2 extended permit ip host PAMS_SERVER object-group LINUX-BOXES 0x49989fbd

access-list LNX_IPSEC line 2 extended permit ip host PAMS_SERVER 10.11.228.0 255.255.255.0 (hitcnt=0) 0x6f1aad85

access-list LNX_IPSEC line 3 extended permit ip host 10.1.85.156 object-group LINUX-BOXES 0x034eece3

access-list LNX_IPSEC line 3 extended permit ip host 10.1.85.156 10.11.228.0 255.255.255.0 (hitcnt=0) 0xc3b2fc0b

I've checked with the administrator of the linux box and the definition for interesting traffic is exactly the same (except in reverse as should be the case).

The firewall is doing other things like NATs and such like too but those NATs have nothing to do with this VPN.  The setup is a LAN to LAN connection with no natting in between.

The main parts of the config are attached, i've deleted things that should have a bearing on this however if you think it necessary i can sanitise the config and re-post.  I think it will be working fine as long as the traffic hits those ACLs, however they're not and I'm unsure why.

At this time i'm not seeing anything at all when doing an debug cry ipsec or debug cry isa.  The ACL's aren't being hit so i'm guessing it's not even trying to form the VPN as it can't see any traffic that constitutes being 'interesting'.

Has anyone seen this issue before or does anyone have any tips I might be able to use to get it working?

Thanks in advance for any help

Brad

Labels:
128797-curragh fw cfg for csc.txt.zip
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-27-2012 07:37 PM

How are those hosts (PAMS_Server and 10.1.85.156) being routed? You have not included the routing within the sanitized configuration and is wondering if routing is correct.

View solution in original post

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7

‎05-27-2012 07:53 PM

Hi Brad,

Please add a static-route on your ASA as shown below.

route OTHER_INT 10.11.228.0 255.255.255.0 192.168.100.X <<<<<< X = your peering device of other side ip address.

Please let me know, if this helps.

thanks

Rizwan Rafeek

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-27-2012 07:37 PM

How are those hosts (PAMS_Server and 10.1.85.156) being routed? You have not included the routing within the sanitized configuration and is wondering if routing is correct.

0 Helpful

Go to solution
bmcginn
Level 3
Level 3
In response to Jennifer Halim

‎05-28-2012 03:02 PM

Hi jennifer, routing was the key, specifically the router mentioned below by rizwanr74.

Thanks!

0 Helpful

Go to solution
rizwanr74
Level 7
Level 7

‎05-27-2012 07:53 PM

Hi Brad,

Please add a static-route on your ASA as shown below.

route OTHER_INT 10.11.228.0 255.255.255.0 192.168.100.X <<<<<< X = your peering device of other side ip address.

Please let me know, if this helps.

thanks

Rizwan Rafeek

0 Helpful

Go to solution
bmcginn
Level 3
Level 3
In response to rizwanr74

‎05-28-2012 03:03 PM

Hi Rizwanr74,

That was it, thanks for the reply and the help!

Brad

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents