Solved: VPN Only 1 end Transmits

James Davies · ‎08-01-2015

Hi,

Been working on a site to site VPN issue for weeks now, and I still cannot solve it, would appreciate anyones help (Where is Keith Barker when you need him ;)

basically, a branch office on a 5505, has a VPN to the main office, simple site to site, all works fine.

main office has a new building with a new ASA 5515. need to move the VPN connection to this new ASA.

created the VPN tunnel comes up no problem (isakmp all good)

however, only the branch office can be seen transmitting, it doesnt recieve anything back. on the head office end, you can see it recieves these packets but transmits nothing back. leaves to believe the issue is on this new ASA.

here is the output from show crypto ipsec sa from both:

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 14, #pkts decrypt: 14, #pkts verify: 14
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0


            #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 14, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

I just dont know why it wont transmit, any help is apprecited

keys, crypto maps are all good they have been double checked. using PFS with DH2

Dinesh Moudgil · ‎08-02-2015

Phase: 3
Type: NAT
Dynamic translate 172.17.10.1/0 to 81.128.141.106/64164

Looking at packet-tracer , it seems to be translating the source from 172.17.10.1to 81.128.141.106 when sending the packet to 192.168.7.1.

Can you confirm if you have the correct nat exempt for this traffic.
Please share the natting command used for this side.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Dinesh Moudgil · ‎08-01-2015

It has to be either a natting or routing issue.
1. Make sure that you have a route pointing to outside interface for the subnet behind remote ASA.
2. Check that the nat-exempt is configured correctly.

On the new ASA where there are no encaps, run this command:
packet-tracer input inside icmp <local host ip> 8 0 <remote host ip> detailed and share the output.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

James Davies · ‎08-02-2015

On the remote ASA there is a default route out for all traffic, do I need to specify a route just for this VPN traffic?

this is the NAT on the remote ASA, DM_INLINE_NETWORK_1 is the local network, Fields-Bridgend is the remote network.

nat (inside,Outside-Router) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static Fields-Bridgend Fields-Bridgend no-proxy-arp route-lookup

James Davies · ‎08-02-2015

Result of the command: "packet-tracer input vlan5 icmp 172.17.10.1 8 0 192.168.7.1 detailed"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 internet

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group vlan5_access_in in interface vlan5
access-list vlan5_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff29d721f0, priority=13, domain=permit, deny=false
   hits=132443, user_data=0x7fff2376e780, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=vlan5, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (vlan5,internet) source dynamic obj_any interface
Additional Information:
Dynamic translate 172.17.10.1/0 to 81.128.141.106/64164
Forward Flow based lookup yields rule:
in id=0x7fff2a6fe5a0, priority=6, domain=nat, deny=false
   hits=624386, user_data=0x7fff2a6fbfe0, cs_id=0x0, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=vlan5, output_ifc=internet

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff29b81a90, priority=0, domain=nat-per-session, deny=true
   hits=246866, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a693050, priority=0, domain=inspect-ip-options, deny=true
   hits=634310, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=vlan5, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a692980, priority=66, domain=inspect-icmp-error, deny=false
   hits=3363, user_data=0x7fff2a691ef0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
   src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
   input_ifc=vlan5, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (vlan5,internet) source dynamic obj_any interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2a6ff0f0, priority=6, domain=nat-reverse, deny=false
   hits=624827, user_data=0x7fff2a6fc0f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=vlan5, output_ifc=internet

Phase: 8
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2b187af0, priority=0, domain=user-statistics, deny=false
   hits=642211, user_data=0x7fff2b185e20, cs_id=0x0, reverse, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=any, output_ifc=internet

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 656034, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: vlan5
input-status: up
input-line-status: up
output-interface: internet
output-status: up
output-line-status: up
Action: allow

Richard Burts · ‎08-02-2015

I believe that Dinesh may be on the right track in suspecting that this might be a routing issue. He asked about routes on the 5515 and the original poster responded about routes on the 5505.

So let us focus on the 5515 and the network connected to it. I have two specific questions.

- is there a route on the 5515 for the LAN subnet of the remote 5505 (which might be 192.168.7.0) and does that route point to the interface where the crypto map is applied?

- in the network connected behind the 5515 (and the original VPN head end) what is the routing for the network at the remote site (which might be 192.168.7.0) and is the next hop for that routing the 5515 or is it still the original VPN headend?

HTH

Rick

HTH

Rick

James Davies · ‎08-02-2015

Ok, on the 5515 there is a default route out for all networks,

route outside 0.0.0.0 0.0.0.0 (next hop IP) so this would cover the return traffic. And I have a route on the ASA for the inside which is 172.16.0.0 255.254.0.0

this is all I need isn't it? Appreciate your help guys.

Richard Burts · ‎08-02-2015

I asked two specific questions. You answered only the first one. So please tell us about the routing of the network behind the ASA. Perhaps one way to do this is to perform tracert from a PC in the head end network to an address in the LAN at the remote. Does the traceroute go through the 5515 or does it go through the other head end VPN device?

HTH

Rick

HTH

Rick

James Davies · ‎08-02-2015

Hi Richard, I answered both.

question 1. There is a default route out of the ASA on the outside interface.

question 2. There is a route to the inside network 172.16.0.0 on the inside interface.

there is no specific route to 192.168.7.0 as I thought this would follow the default route out, the crypto map is applied to the outside interface.

i am unable to do a trace to the remote site as only phase 1 of the tunnel comes up, so I had to put the ASA on its older connection which works. I can try this tomorrow though.

do you think I need to make an implicit route to the 192.168.7.0 network?

Dinesh Moudgil · ‎08-02-2015

Phase: 3
Type: NAT
Dynamic translate 172.17.10.1/0 to 81.128.141.106/64164

Looking at packet-tracer , it seems to be translating the source from 172.17.10.1to 81.128.141.106 when sending the packet to 192.168.7.1.

Can you confirm if you have the correct nat exempt for this traffic.
Please share the natting command used for this side.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

James Davies · ‎08-03-2015

NAT statement is this:

nat (vlan5,internet) source static Fields-Group Fields-Group destination static Fields-Cardiff Fields-Cardiff no-proxy-arp route-lookup

Fields-Group being 172.16.0.0 255.254.0.0 and Fields-Cardiff being 192.168.7.0 255.255.255.0

vlan5 is my inside interface

Thank you

James Davies · ‎08-03-2015

ok, so after your helpful post, we are a little further, I moved the NAT rule above the PAT rule, and got the below, still not sending traffic though, but the NAT rule seems to be working:

Result of the command: "packet-tracer input vlan5 icmp 172.17.10.1 8 0 192.168.7.1 detailed"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 internet

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (vlan5,internet) source static Fields-Group Fields-Group destination static Fields-Cardiff Fields-Cardiff no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface internet
Untranslate 192.168.7.1/0 to 192.168.7.1/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group vlan5_access_in in interface vlan5
access-list vlan5_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff29d721f0, priority=13, domain=permit, deny=false
   hits=201496, user_data=0x7fff2376e780, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=vlan5, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (vlan5,internet) source static Fields-Group Fields-Group destination static Fields-Cardiff Fields-Cardiff no-proxy-arp route-lookup
Additional Information:
Static translate 172.17.10.1/0 to 172.17.10.1/0
Forward Flow based lookup yields rule:
in id=0x7fff2b060fa0, priority=6, domain=nat, deny=false
   hits=1, user_data=0x7fff2936e630, cs_id=0x0, flags=0x0, protocol=0
   src ip/id=172.16.0.0, mask=255.254.0.0, port=0, tag=0
   dst ip/id=192.168.7.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
   input_ifc=vlan5, output_ifc=internet

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff29b81a90, priority=0, domain=nat-per-session, deny=true
   hits=277563, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a693050, priority=0, domain=inspect-ip-options, deny=true
   hits=704803, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=vlan5, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a692980, priority=66, domain=inspect-icmp-error, deny=false
   hits=3469, user_data=0x7fff2a691ef0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
   src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
   input_ifc=vlan5, output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff293c16b0, priority=70, domain=encrypt, deny=false
   hits=15, user_data=0x1edc4, cs_id=0x7fff2b0604d0, reverse, flags=0x0, protocol=0
   src ip/id=172.16.0.0, mask=255.254.0.0, port=0, tag=0
   dst ip/id=192.168.7.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
   input_ifc=any, output_ifc=internet

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (vlan5,internet) source static Fields-Group Fields-Group destination static Fields-Cardiff Fields-Cardiff no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2b05fe30, priority=6, domain=nat-reverse, deny=false
   hits=1, user_data=0x7fff204e77c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
   src ip/id=172.16.0.0, mask=255.254.0.0, port=0, tag=0
   dst ip/id=192.168.7.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
   input_ifc=vlan5, output_ifc=internet

Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff2b187af0, priority=0, domain=user-statistics, deny=false
   hits=725298, user_data=0x7fff2b185e20, cs_id=0x0, reverse, flags=0x0, protocol=0
   src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
   dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
   input_ifc=any, output_ifc=internet

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 739605, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: vlan5
input-status: up
input-line-status: up
output-interface: internet
output-status: up
output-line-status: up
Action: allow

Dinesh Moudgil · ‎08-03-2015

Can you generate real traffic and then get the output of "show crypto ipsec sa peer <remote peer IP>". Packet tracer looks good here and you might want to confirm if there is any other VPN tunnel with overlapping subnets.

Additionally , run the command while initiating real traffic:
capture asp type asp-drop all
show cap asp | in <destination private IP>

This output will show you if there are any packets getting dropped on the firewall.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

James Davies · ‎08-04-2015

Hi Dinesh,

thankyou for your help and patience, the no nat rule was the first part of the issue, after you made me packet trace it, it was obvious.! I moved the no nat to the top and the tunnel came up every time.

was still not receiving anything though, so I looked at the end destination and low and behold it was a core layer 3 device that did not have a route back to the ASA. I added a static route and all is good.

many thanks

Dinesh Moudgil · ‎08-04-2015

Glad to help you James,

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/