ACTIVE BUT NOT VPN CONNECTIVITY

Unanswered Question
Jan 7th, 2010
User Badges:


My topology is as follows

I have a Cisco 1841 that does not manage, because it belongs to my ISP. In this turn I have attached an ASA 5510 that is that I manage myself.

I want to create a connection THROUGH the CISCO VPN client, run the wizard that brings the ASDM. After this run the VPN client and tells me that the VPN is active but I have no connectivity on both sides of the vpn.

The local network is 192.168.0.0 and I'm assigned to the machine that is connecting an ip in the same range.
I hope someone can help me, thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Thu, 01/07/2010 - 13:01
User Badges:
  • Gold, 750 points or more

Can you provide some info for us to help you?

- ASA config

- After VPN client is in active statue,  issue a ping to the internal network for vpn client, capture the following command from ASA.

  - show crypto isa sa

  - show crypto ipsec sa

- screen shot of your vpn client statistics window.

FRANCISCO IBARRA Thu, 01/07/2010 - 16:30
User Badges:

First thanks to answer:

here's the log of the connection. I saw that was a failure to add the route is not whether this affection. I

Yudong Wu Thu, 01/07/2010 - 21:53
User Badges:
  • Gold, 750 points or more

After the tunnel is up, can you check the route to see if it is added?

If you are using Vista, there was a bug related to this. The route was added correctly but it was still reported error.


By the way, can you provide the info which I asked before?

Basically, if the tunnel is up but not passing traffic, we need find out which side has the problem. So initiating some traffic such as ping, then checked decrypt and encrypt count on both sides to see which one is not incrementing.

FRANCISCO IBARRA Fri, 01/08/2010 - 08:13
User Badges:

hi

If the VPN Client is running on Windows Vista. And he added as the securated route 0.0.0.0 0.0.0.0.

Here is the information that I was asked:


# sh crypto isa sa


   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1


1   IKE Peer: y.y.y.y
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE


# sh crypto ipsec sa
interface: outside
    Crypto map tag: outside_dyn_map, seq num: 20, local addr: x.x.x.x


      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.0.201/255.255.255.255/0/0)
      current_peer: y.y.y.y, username: ""
      dynamic allocated peer ip: 192.168.0.201


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 443, #pkts decrypt: 443, #pkts verify: 443
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0


      local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y



Thanks

Yudong Wu Fri, 01/08/2010 - 09:09
User Badges:
  • Gold, 750 points or more

From the output of ASA, it looks like the issue is on ASA side.

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0             <<<<<< Not sending packets
      #pkts decaps: 443, #pkts decrypt: 443, #pkts verify: 443    <<<<<< receiving packet


It might be a mis-configuration on ASA, please check

1. routing

2. if vpn packet to the client will bypass NAT

Post related ASA configuration if you need help.

FRANCISCO IBARRA Fri, 01/08/2010 - 10:36
User Badges:

As for routing'm using only one static route. and in the use of nat I am using it as seen in the Internet sites.

Here is the configuration


access-list inside_access_in extended permit ip object-group any_ any
access-list inside_access_in extended permit tcp object-group https_ any eq https
access-list inside_access_in extended permit tcp object-group ftp_ any eq ftp
access-list inspect_outbound extended permit tcp 192.168.0.0 255.255.255.0 any eq www
access-list inspect_outbound extended permit tcp 192.168.0.0 255.255.255.0 any eq ftp
access-list inspect_outbound extended permit tcp 192.168.0.0 255.255.255.0 any eq pop3
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.0.192 255.255.255.224
access-list outside_1_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool POOLREMOTO 192.168.0.201-192.168.0.210 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
................................................................................................
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
................................................................................................
group-policy VPNREMOTO internal
group-policy VPNREMOTO attributes
dns-server value 192.168.0.220
vpn-tunnel-protocol IPSec

vpn-group-policy VPNREMOTO
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *
tunnel-group VPNREMOTO type ipsec-ra
tunnel-group VPNREMOTO general-attributes
address-pool POOLREMOTO
default-group-policy VPNREMOTO
tunnel-group VPNREMOTO ipsec-attributes
pre-shared-key *

thanks

Yudong Wu Fri, 01/08/2010 - 14:39
User Badges:
  • Gold, 750 points or more

Your VPN pool address is overlap with your internal network 192.168.0. Therefore, the internal host will think the vpn client is at local. Can you use a different pool and try it again.


You can try to enable "nat-traversal" as well in case the client is behind a NAT device.

"crypto isakmp nat-traversal"

FRANCISCO IBARRA Fri, 01/08/2010 - 16:13
User Badges:

Change my pool with address range 192.168.100.x.
Also active crypto isakmp nat-traversal

but does not work

no other change is that I do

Yudong Wu Sat, 01/09/2010 - 11:34
User Badges:
  • Gold, 750 points or more

after you change ip pool for vpn client, you need change ACL for nat 0 accordingly.

In your case, you need add "permit ip your_internal_network mask 192.168.100.0 255.255.255.0" in the ACL which is used by "nat 0"

FRANCISCO IBARRA Mon, 01/11/2010 - 11:42
User Badges:

I modify the ACL, but I still have echoed by the ASA to the customer PC.

Check the statistics of incoming and outgoing packets and remains the same.

Not if it can be for some politics by default who is working the ASA.

Thanks

Yudong Wu Mon, 01/11/2010 - 12:58
User Badges:
  • Gold, 750 points or more

hmm....

Can you try this?

1. connect your vpn client to ASA and make sure the IPSec tunnel is active.

2. From a internal host saying 192.168.0.x ping vpn client's IP 192.168.100.y

3. On ASA, check "show crypto ipsec sa" to see if encrypted count incrementing for the related SA

4. capture the following command as well

    packet-tracer input icmp 192.168.0.x 8 0 192.168.100.y detail

FRANCISCO IBARRA Mon, 01/11/2010 - 14:46
User Badges:

See ipsec sa command, which shows me that if you make a icmp packet encryption. But do not go.

Here shows the output:

  #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
      #pkts decaps: 619, #pkts decrypt: 619, #pkts verify: 619
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

As for the capture of the command packet tracer, did not understand, if I do it to the internal interface or external interface, that if I make it to the internal interface if allowed out of the package. if done at the external interface does not come out here to leave external:



Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow


Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside


Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in  id=0x43ccfb8, priority=111, domain=permit, deny=true
        hits=930, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0


Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Yudong Wu Mon, 01/11/2010 - 15:01
User Badges:
  • Gold, 750 points or more

Since we concern of the traffic in the direction from internal host to the vpn client, input_interface in packet-tracer command is the inside interface which is facing to the internal host.


Previously, in "show crypto ipsec sa", I could see "encrypt count" is 0 on ASA. But, in your last capture, it was not zero any more. That means the ASA could send data to the remote end.


Can you issue a ping from internal host to VPN client when VPN client is connected and in active statue?

Capture "show crypto ipsec sa" from ASA and VPN statistics on vpn client before ping, and then capture them after ping.

Compare both encrypt/decrypt count to see if they are incrementing

FRANCISCO IBARRA Mon, 01/11/2010 - 16:00
User Badges:

I did the test told me.

When you ping from an internal host to the ASA this tends to raise both the encrypted bytes as the bytes received on the host's VPN client.

However this does not answer ping host and the VPN client. I think they are the echoes that are not answered.

Thanks

Yudong Wu Mon, 01/11/2010 - 19:10
User Badges:
  • Gold, 750 points or more

When you ping from internal host to vpn client, if there is only ping packet, you should see that the incrementing of encrypt count on ASA is equal to incrementing of decrypt count on VPN client. This is echo packet. For echo-reply, you should see that the incrementing of encrypt count on vpn client is equal to the incrementing of decrypt count on ASA.


So, in your testing, which count is NOT incrementing?

FRANCISCO IBARRA Tue, 01/12/2010 - 08:03
User Badges:

Here's something interesting, check the counters on both counts, ie I show increased encrypts and decrypts fine. I also did a ping from the ASA ASDM VPN client to the host for the external interface which was satisfactory, it means that packets arrive at the ASA but can not reach the host, I think it could be an ACL issue or problem of NAT . Could you help, Thanks.

FRANCISCO IBARRA Wed, 01/27/2010 - 14:15
User Badges:

Thank you for your help.


I could solve the problem by access list to allow traffic

Actions

This Discussion