Help Rv042 to ASA5510 VPN with multiple subnets

Unanswered Question
Oct 12th, 2009

I have a RV042 running firmware 1.3.12.19-tm connected to the internet

LAN subnet is 192.168.10.0/255.255.255.0

On the otherside I have a ASA5510 also connected to the internet

The ASA5510 LAN subnets are split into 3 subnets

1) 192.168.60.0/255.255.255.0
2) 192.168.61.0/255.255.255.0
3) 192.168.62.0/255.255.255.0

I have setup a VPN connection between the routers as follows
On RV042
     Local Group Setup
          Local Security Gateway Type: IP Only
          IP Address: rv042 external ip address
          Local Security Group Type: Subnet
          IP Address: 192.168.10.1
          Subnet Mask: 255.255.255.0

     Remote Group Setup                

          Remote Security Gateway Type: IP Only
          IP Address: ASA5510 external IP address
          Remote Security Group Type: Sbnet
          IP address: 192.168.60.0
          Subnet Mask: 255.255.252.0

On the ASA5510 I have setup the vpn allowing access to the subnet 192.168.60.0/22 to 192.168.10.0/24

The VPN gets established and traffic from the rv042 10.0 subnet works fine with the 61.0 and 62.0 subnet of the ASA5510.

For some reason traffic on the 60.0 subnet refuses to work.

Using tcpdump on a machine on the 60.0 subnet I can see that a ping sent from 10.x is successfully received on the 60.x machine across the VPN and a reply sent but the reply is not received on the 10.x machine

I have checked using the packet tracer of the ASA and the packet shows as being allowed across the ASA.

I have checked the access control lists on the ASA and that seems to be fine.

I have also viewed the logs on the ASA and can see that the ping is received and the teardown message also being logged successfully.

The Rv042 unfortunately doesnt show any signs of the packets.

I enabled the syslog of the Rv042 and installed the wallwatcher program to view the syslogs.

I enabled all checkboxes on the Log page of the Rv042 to enable logging of all traffic.

The Rv042 doesnt seem to log VPN traffic at all !!

That makes it really diffcult to figure out if the problem is local to the Rv042 or is on the ASA5510 side.

The fact that the VPN gets established successfully and I am able to ping the 61.0 and 62.0 subnets from 10.0 makes it even more strange why the 60.0 subnet refuses to work.

I also tried setting up 3 seperate VPN links from the (RV042) 192.168.10.0/24 subnet to (ASA) 192.168.60.0/24, 192.168.61.0/24, 192.168.62.0/24.

I get the exact same symptoms. Only the 60.0 subnet refuses to work!!!

I have been breaking my head on this for the last few days and would appreciate any advice or hints on debugging this further.

/sanjay

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
David Carr Mon, 10/12/2009 - 08:02

Yeah i have to agree, that is very strange.  Is it just pings that are being blocked or can you rdp or anything to see if you can connect from the 60.x network.

sanjay9madhavan Mon, 10/12/2009 - 08:17

It is all traffic. I just used ping as a test case.

Also the block is just in one direction.

I setup tcpdump on two linux boxes on each side of the VPN.

when I ping from 10.x to 60.x the 60.x machine receives the ping

when I ping from 60.x to 10.x the 10.x machine does NOT receive the ping.

Unfortunately the rv042 logging doesnt show if the Rv042 has received the ping either since it doesnt seem to log VPN traffic at all.

/sanjay

David Carr Mon, 10/12/2009 - 08:32

I don't know, are the settings the same as from the other subnets to the rv042 that are working.  It seems something within that subnet on the ASA, since the tunnels between the other two subnets are working perfectly.  I would look into that.

sanjay9madhavan Mon, 10/26/2009 - 04:36

Resolved the problem by reloading the ASA5510. !!!

I used to think cisco boxes did not need to be restarted. It looks like sometimes they do.

/sanjay