cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1903
Views
0
Helpful
15
Replies

VPN Tunnel missing child_SAs

zietgiestt
Level 1
Level 1

Hello,

I have a vpn tunnel built between me (ASA 5506X) and another site (Palo Alto).

After some work, the tunnel came up and connected just fine.

Palo alto has 3 private subnets I have NATed to 2 of my private IPs (more needed but I'm only using these 2 for testing)

Problem is, PA can only connect to 1 of my IPs at a time. 

PA subnets=10.21.0.0/16, 10.22.0.0/16 & 172.22.0.0/16

my IPs=172.16.5.246/32 is a corp vlan,

10.201.119.6/32 is a hosted DC vlan connected via SD_WAN.

sh cry is sa

IKEv2 SAs:

Session-id:7196, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local Remote Status Role
2691979667 12.X.X.X/500 170.X.X.X/500 READY RESPONDER
Encr: AES-CBC, keysize: 192, Hash: SHA256, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/7270 sec
Child sa: local selector 172.16.5.246/0 - 172.16.5.246/65535
remote selector 10.22.0.0/0 - 10.22.255.255/65535
ESP spi in/out: 0x998bb96f/0xf41dacc6

sh cry ip sa peer=

peer address: 170.X.X.X
Crypto map tag: outside_map0, seq num: 13, local addr: 12.X.X.X

access-list WS_TUNNEL_ACL extended permit ip host 172.16.5.246 10.22.0.0 255.255.0.0
local ident (addr/mask/prot/port): (h.hqc.pc.172.16.5.246/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.22.0.0/255.255.0.0/0/0)
current_peer: 170.X.X.X


#pkts encaps: 8391, #pkts encrypt: 8391, #pkts digest: 8391
#pkts decaps: 8409, #pkts decrypt: 8409, #pkts verify: 8409
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8391, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 12.X.X.X/500, remote crypto endpt.: 170.X.X.X/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: F41DACC6
current inbound spi : 998BB96F

inbound esp sas:
spi: 0x998BB96F (2576071023)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 320429, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4284947/21130)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xF41DACC6 (4095585478)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 320429, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (4331028/21130)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

NAT rule

nat (inside,outside) source static DM_INLINE_NETWORK_66 DM_INLINE_NETWORK_66 destination static DM_INLINE_NETWORK_67 DM_INLINE_NETWORK_67

sh run object-group id DM_INLINE_NETWORK_66
object-group network DM_INLINE_NETWORK_66
network-object object DaveB
network-object object tplebsdb201

sh run object-group id DM_INLINE_NETWORK_67
object-group network DM_INLINE_NETWORK_67
network-object object 10.21.0.0
network-object object 10.22.0.0
network-object object 172.22.0.0

ACL=

access-list WS_TUNNEL_ACL extended permit object-group DM_INLINE_PROTOCOL_9 object 10.22.0.0 object DaveB
access-list WS_TUNNEL_ACL extended permit object-group DM_INLINE_PROTOCOL_10 object DaveB object 10.22.0.0
access-list WS_TUNNEL_ACL extended permit object-group DM_INLINE_SERVICE_20 object tplebsdb201 object 10.22.0.0
access-list WS_TUNNEL_ACL extended permit object-group DM_INLINE_SERVICE_21 object 10.22.0.0 object tplebsdb201

When PA pings 172.16.5.246, I am able to ping his IP (10.22.48.21)

When PA pings 10.201.119.6, I am not able to ping his IP (10.22.48.21)

At the time of writing this, PA has a ping -t running to both of my IPs, but only 172.16.5.246 is responding, 10.201.119.6 is timing out

I may be missing something very basic, but I'm stuck here and would really appreciate any help or guidance.

 

Thanks,
D

 

 

15 Replies 15

since I am now sure it bug not ACL issue 
run packet tracer for traffic and share it here 

MHM