03-06-2018 03:57 AM - edited 03-12-2019 05:05 AM
Good evening,
I recently had an issuse trying to configure a site to site VPN on ASA 5505 (ver. 9.1(6)).
My need is to connect point A to point B, and point A to point C.
While I've been able to successfully connect A-B, with A-C I have this problem:
The IPSec Tunnel goes on (IKEv2), but while C sends packets to A, and A receives it and transmits packets back to C, C doesn't receive these.
I've rebooted both firewalls, checked and compared configurations of C to B (paying attention to Access Rules, NAT Rules, Group Policies, Tunnel Groups, ACL Rules, Crypto Maps), and they're basically identical. I can't get it to work tho.
Ports on routers from both sites are opened (50, 500, 1701, 4500, 10000). Router internal firewalls are off.
Any advice?
03-06-2018 06:28 AM
It looks like you are trying to build a Site-to-Site VPN with Hairpinning.
One of the thing I would recommend is to make sure you have functional VPN tunnels between A and B and A and C.
Another thing to look out, is you need to have same-security-traffic permit intra-interface on the A ASA.
Here is a config guide for more details (it is using ikev1, but if you have the tunnels running it is pretty much the same config):
HTH
Bogdan
03-07-2018 07:22 AM - edited 03-07-2018 07:22 AM
Hello @vannixiii,
Checking your post, it seems you have a problem with the S2S between A and C but in essentially you have problems with thwe traffic that is being sent to Site C. You need to look for the ESP packets in order to verify if something in the path is dropping them:
1. Place this capture on Site A
cap cap interface outside match esp host <IP FW A> host <IP FW C>
cap asp type asp-drop all
2. Place this capture on Site C
cap cap interface outside match esp host <IP FW C> host <IP FW A>
cap asp type asp-drop all
3. Run this command before you test
clear asp drop
4. After you perform the test verify if you are receiving the packets for ESP and it should say IP-PROTO50 in the capture, it should be both ways:
show cap cap
show cap asp
Let me know how the tests goes, I will be waiting for your response.
HTH
Martha
03-08-2018 12:36 AM
Thank you Martha, I'm going to try as soon as possible and give you a feedback.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide