VPN Tunnel established but no communication possible, need help troubleshooting

Karsten Kemper · ‎09-11-2013

Hello together,

i have been working on a Site-to-Site VPN with one end dynamic IP ( Home Office ) and a static IP ( company ).

I have been testing this setup at home which works perfect with following configuration

Company ( static IP )

Company Network<->ASA5510<->ISP

Comany Network 172.20.x.x

Home ( dynamic IP )

ISP<->Cable Modem<->Router with DD-WRT<->ASA5505<->Local Clients

Router: 192.168.1.1, static route 192.168.10.0 gateway 192.168.1.2

ASA5505: outside 192.168.1.2, inside 192.168.10.1

Local Client 192.168.10.5 for example

I wanted to move this working configuration to another home office with a slightly other ISP Connection

ISP<->Fritzbox 6360 with integrated cable modem<->ASA5505<->Local Clients

Fritzbox 6360: 192.168.1.1, static route 192.168.10.0 gateway 192.168.1.2

ASA5505: outside 192.168.1.2, inside 192.168.10.1

Local Client 192.168.10.5 for example

From what i can see the Fritzbox is connected via IPv6 to the internet.

At this new location the VPN Setup does not work. The tunnel is established but i cannot communicate with the resources at the company.

Tunnel at the new location

Crypto map tag: outside_map0, seq num: 1, local addr: 192.168.1.2

access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 172.20.0.0 255.255.0.0

local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.20.0.0/255.255.0.0/0/0)

current_peer: 217.67.xxx.xxx

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#pkts no sa (send): 0, #pkts invalid sa (rcv): 0

#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

#pkts invalid prot (rcv): 0, #pkts verify failed: 0

#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

#pkts invalid pad (rcv): 0,

#pkts invalid ip version (rcv): 0,

#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

#pkts replay failed (rcv): 0

#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0

#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: 192.168.1.2/0, remote crypto endpt.: 217.67.xxx.xxx/0

path mtu 1500, ipsec overhead 74(44), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: 55FC15CA

current inbound spi : 4EA3CA8D

inbound esp sas:

spi: 0x4EA3CA8D (1319357069)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 1, IKEv1, }

slot: 0, conn_id: 8192, crypto-map: outside_map0

sa timing: remaining key lifetime (kB/sec): (3915000/28423)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x55FC15CA (1442584010)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 1, IKEv1, }

slot: 0, conn_id: 8192, crypto-map: outside_map0

sa timing: remaining key lifetime (kB/sec): (3914999/28423)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

TX :some value > 0

RX : 0

Tunnel at the company

Crypto map tag: KW-VPN, seq num: 2, local addr: 217.67.xxx.xxx

access-list WEB_cryptomap extended permit ip 172.20.0.0 255.255.0.0 192.168.10.0 255.255.255.0

local ident (addr/mask/prot/port): (172.20.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

current_peer: 37.24.xxx.xxx

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#TFC rcvd: 0, #TFC sent: 0

#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

#pkts no sa (send): 0, #pkts invalid sa (rcv): 0

#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

#pkts invalid prot (rcv): 0, #pkts verify failed: 0

#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0

#pkts invalid pad (rcv): 0,

#pkts invalid ip version (rcv): 0,

#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

#pkts replay failed (rcv): 0

#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0

#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: 217.67.xxx.xxx/0, remote crypto endpt.: 37.24.xxx.xxx/0

path mtu 1500, ipsec overhead 74(44), media mtu 1500

PMTU time remaining (sec): 0, DF policy: copy-df

ICMP error validation: disabled, TFC packets: disabled

current outbound spi: 4EA3CA8D

current inbound spi : 55FC15CA

inbound esp sas:

spi: 0x55FC15CA (1442584010)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 1, IKEv1, }

slot: 0, conn_id: 1691648, crypto-map: KW-VPN

sa timing: remaining key lifetime (kB/sec): (4374000/28637)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

outbound esp sas:

spi: 0x4EA3CA8D (1319357069)

transform: esp-aes-256 esp-sha-hmac no compression

in use settings ={L2L, Tunnel, PFS Group 1, IKEv1, }

slot: 0, conn_id: 1691648, crypto-map: KW-VPN

sa timing: remaining key lifetime (kB/sec): (4374000/28637)

IV size: 16 bytes

replay detection support: Y

Anti replay bitmap:

0x00000000 0x00000001

TX: 0

RX : 0

I honestly have no clue why at the home location packets get send ( TX ) but there is no receive ( RX ) and at the company location TX and RX stay zero.

Is there any way to debug why packets send from the home office don't even reach the company?

If there is a need for further log files or configs please let me now.

With kind regards

Karsten Kemper · ‎09-12-2013

I found following article related to using a vpn through a fritzbox, maybe someone can see a related issue.

Using the FRITZ!Box's Internet connection with VPN software from another manufacturer

You can also use VPN software from another manufacturer to establish VPN connections to a remote VPN server over your FRITZ!Box's Internet connection. Since VPN Passthrough is enabled by default for the VPN protocols IPSec and PPTP, no additional settings are required.

If the VPN software uses the IPSec protocol without NAT-Traversal or the PPTP protocol, the following restrictions apply:

Simultaneous connections from multiple VPN clients in the FRITZ!Box home network to the same VPN server are not possible.

The IPSec operating mode "Authentification Header" (AH) cannot be used.

As the VPN software does not notice the disconnection of an Internet connection, a new VPN connection to the VPN server will not be automatically established when a new Internet connection is established. This, however, is necessary as the FRITZ!Box usually obtains a new IP address from your Internet Service Provider when a new Internet connection is established.

Therefore, the FRITZ!Box should be configured to permanently maintain the Internet connection.