09-09-2012 12:04 AM
Hello all. I have a problem that I could use some fresh eyes on.
Today we physically moved an ASA 5510 across town and took another location off of fiber and onto a VPN with the asa 5510, via a brand new 5505. The VPN seems to be up however no local traffic seems to be passing. The ASA 5510 can ping to the internal network of the 5505 but not vice versa.
The site that was moved is the 62.0 network, it is connected to the rest of the network through the new ASA 5505. I'm sure this is something elementary that I somehow missed. Any help would be appreciated!
09-09-2012 05:13 AM
Hi David,
Whats the access-list 102 for??
I think this access list is conflicting with your Site-to-Site setup.
Or you can rearrange your crypto-access-list like so below:
ON 5505:
access-list outside_1_cryptomap extended permit ip 192.168.62.0 255.255.255.0 192.168.100.0 255.255.255.0
ON 5510:
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.62.0 255.255.255.0
HTH,
Regards,
Terence
09-09-2012 06:16 AM
Hello, thank you for the reply.
I deleted the access list 102 and there was no change so I rewrote the crypto map as you suggested. No joy! Could this be a NAT issue? It looks like the tunnel itself is up but there is no traffic passing to the remote lan.
09-09-2012 06:32 AM
Hi David,
Do you have a router in front of the firewall or you are using your ASA as your main router?
Also please post the sh outputs commands below:
on 5510
sh crypto ipsec sa peer xxx.117.69.146
sh crypto isakmp sa
on 5505
sh crypto ipsec sa peer XXX..123.133.162
sh crypto isakmp sa
regards,
Terence
09-09-2012 06:44 AM
Thank you for the help Both ASAs are connected directly to the outside fiber on e0/0.
On 5505:
Result of the command: "sh crypto ipsec sa peer xxx.123.133.162"
peer address: xxx.123.133.162
Crypto map tag: outside_map, seq num: 1, local addr: xxx.117.69.146
access-list outside_cryptomap_1 extended permit ip 192.168.62.0 255.255.255.0 any
local ident (addr/mask/prot/port): (192.168.62.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: xxx.123.133.162
#pkts encaps: 865, #pkts encrypt: 865, #pkts digest: 865
#pkts decaps: 457, #pkts decrypt: 457, #pkts verify: 457
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 865, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: xxx.117.69.146, remote crypto endpt.: xxx.123.133.162
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: B24CD8E4
current inbound spi : D432035D
inbound esp sas:
spi: 0xD432035D (3560047453)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 18173952, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914960/27057)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xB24CD8E4 (2991380708)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 18173952, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3914937/27057)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Result of the command: "sh crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: xxx.123.133.162
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
On 5510
Result of the command: "sh crypto ipsec sa peer XXX.117.69.146"
peer address: XXX.117.69.146
Crypto map tag: outside_map0, seq num: 1, local addr: XXX.123.133.162
access-list outside_cryptomap_1 extended permit ip any 192.168.62.0 255.255.255.0
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.62.0/255.255.255.0/0/0)
current_peer: XXX.117.69.146
#pkts encaps: 476, #pkts encrypt: 476, #pkts digest: 476
#pkts decaps: 932, #pkts decrypt: 932, #pkts verify: 932
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 476, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: XXX.123.133.162, remote crypto endpt.: XXX.117.69.146
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: D432035D
current inbound spi : B24CD8E4
inbound esp sas:
spi: 0xB24CD8E4 (2991380708)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 18219008, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4373934/26881)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xD432035D (3560047453)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 18219008, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4373959/26881)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Result of the command: "sh crypto isakmp sa"
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: XXX.117.69.146
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Here's a trace from the ASA5505 to the internal interface of the 5510, looks like it has an idea on where to go. The reverse trace from the 5510 is empty. Perhaps a routing or nat issue with the 5510? Packet tracer shows implicit denies catching traffic (which can't be accurate with temporary permit ip any any statements above them):
Result of the command: "trace 192.168.100.1"
Type escape sequence to abort.
Tracing the route to 192.168.100.1
1 xxx.117.69.145 0 msec 10 msec 0 msec
2 xxx.117.67.3 10 msec 0 msec 10 msec
09-09-2012 06:43 AM
HI ,
please get :
show crypto ipsec sa // both sides
are you testing with traffic other than the inside interface , since that on the 5505 you are missing :
managment-access inside .
once we check the tunnel counters we can proceed with the packet-tracer if needed .
HTH
Mohammad.
09-09-2012 06:46 AM
Output posted above! THANK YOU FOR THE HELP!
Right now my only access to the 5505 is through the outside interface. It's local LAN is up (and operating properly). Should I issue the management-access inside command then?
09-09-2012 06:50 AM
Hey ,
happy to know it is working fine .
the managment-access inside is up to you do you want to be able to pass traffic through the tunnel using the inside interface of the ASA ?
cheers.
Mohammad.
09-09-2012 06:53 AM
Wait, don't leave! The tunnel is working but the connectivity problem still exists!
I'll issue the management access command now.
09-09-2012 06:53 AM
Hi David,
i do not see any crypto access-list on your ASA 5510.
Please check and revert.
And also use the suggested access-list i show you above otherwise it will conflict with your NAt statement.
HTH.
Regards,
Terence
09-09-2012 06:57 AM
Terrence,
I deleted the access-list 102 earlier... After rearranging the access lists to the following the tunnel dropped.
ON 5505:
access-list outside_1_cryptomap extended permit ip 192.168.62.0 255.255.255.0 192.168.100.0 255.255.255.0
ON 5510:
access-list outside_1_cryptomap extended permit ip 192.168.100.0 255.255.255.0 192.168.62.0 255.255.255.0
outside_1_cryptomap is the crypto access list, right? That's on the 5510 as well.
09-09-2012 08:40 AM
Asa5510 can ping into the Asa5505's network now, but not vice versa. Any thoughts?
09-09-2012 08:50 AM
Hi David,
can you repost your config.
Regards,
Terence
09-09-2012 09:03 AM
ASA 5510
09-09-2012 09:20 AM
Hi david,
All looks ok from your config.
But can you change the route on the 5510 to the below:
route outside 192.168.62.0 255.255.255.0 XXX.123.133.162
HTH.
Regards,
Terence
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide