VPN Client can not ping or reach anywhere...

Unanswered Question
Feb 17th, 2010

Hi,

I have ASA 5510 (8.0.2), ASDM 6.1 and ASA-SSM-10. Our clients are using Cisco VPN client 5.0.02. One of them connects successfully but can not ping or connect anywhere. His account and PC settings are OK since he can connect when he changes his Internet connection and get another public IP address.

I can see TX/RX traffic from ASDM for the VPN session and shun list is empty.

Any suggestions will be much appreciated.

S.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (4 ratings)
Loading.
Ivan Martinon Thu, 02/18/2010 - 09:45

Please make sure that the following line is enabled on the ASA "crypto isakmp nat-t 20" if not enabled, then go ahead and enable it, disconnect and reconnect.

If that does not work yet, please check your nat exempt config and post your config here.

Ivan

Samuel Akindele Fri, 02/19/2010 - 04:24

Dear Ivan,

My VPN issue is a bit different; VPN connections from the internet to the outside interface of the Enterprise network are established, and users can reach all required nodes on the inside Enterprise network; while connections from the subscriber network are also established, but users cannot reach anywhere on the inside Enterprise network. kindly help.

Find attached diagram.

Ivan Martinon Fri, 02/19/2010 - 08:16

Understood, can you tell me what protocol is used by the subscriber network clients when they are connected? is it plain ESP or do they use nat-t?

Ivan Martinon Fri, 02/19/2010 - 09:49

Ok, thanks, when you see this behavior, do you see packets encrypted and decrypted on the vpn client statistics? Can you get a show crypto ipsec sa from the firewall once these clients that have the issue are connected?

Samuel Akindele Fri, 02/19/2010 - 12:17

On the VPN client statistics, packets encrypted continue to increase, while packets decrypted remains at zero, I also see packects bypassed is increasing.

ASA5540# show crypto ipsec sa
interface: Outside
    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 10.64.250.19

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.64.253.11/255.255.255.255/0/0)
      current_peer: 41.138.185.126, username: test
      dynamic allocated peer ip: 10.64.253.11

      #pkts encaps: 1234, #pkts encrypt: 1234, #pkts digest: 1234
      #pkts decaps: 1293, #pkts decrypt: 1293, #pkts verify: 1293
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1234, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.64.250.19, remote crypto endpt.: 41.138.185.126

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 160EDD1F

    inbound esp sas:
      spi: 0x718E62FB (1905156859)
         transform: esp-aes esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 46, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 26688
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x160EDD1F (370072863)
         transform: esp-aes esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 46, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 26683
         IV size: 16 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 10.64.250.19

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.64.253.9/255.255.255.255/0/0)
      current_peer: 41.138.188.3, username: ofun
      dynamic allocated peer ip: 10.64.253.9

      #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
      #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.64.250.19, remote crypto endpt.: 41.138.188.3

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 796C8A82

    inbound esp sas:
      spi: 0xA9776EB7 (2843176631)
         transform: esp-aes esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 47, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 28745
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x796C8A82 (2037156482)
         transform: esp-aes esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 47, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 28745
         IV size: 16 bytes
         replay detection support: Y

Samuel Akindele Fri, 02/19/2010 - 14:11

Subcriber Network VPN Client


Statistics

Packets
Encypted: 123
Decypted: 0
Discarded: 0
Bypassed: 609

ASA# show crypto ipsec sa
interface: Outside
    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 10.64.250.19

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.64.253.11/255.255.255.255/0/0)
      current_peer: 41.138.185.126, username: test
      dynamic allocated peer ip: 10.64.253.11

      #pkts encaps: 1166, #pkts encrypt: 1166, #pkts digest: 1166
      #pkts decaps: 1217, #pkts decrypt: 1217, #pkts verify: 1217
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1166, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.64.250.19, remote crypto endpt.: 40.8.185.126

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 160EDD1F

    inbound esp sas:
      spi: 0x718E62FB (1905156859)
         transform: esp-aes esp-sha-hmac none
        in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 46, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 26798
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x160EDD1F (370072863)
         transform: esp-aes esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 46, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 26791
         IV size: 16 bytes
         replay detection support: Y

Internet VPN Client


Statistics
Packets
Encypted: 179
Decypted: 137
Discarded: 7
Bypassed: 549

ASA5540# show crypto ipsec sa
interface: Outside
    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 10.64.250.19

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.64.253.11/255.255.255.255/0/0)
      current_peer: 212.100.68.20, username: test
      dynamic allocated peer ip: 10.64.253.11

      #pkts encaps: 137, #pkts encrypt: 137, #pkts digest: 137
      #pkts decaps: 168, #pkts decrypt: 168, #pkts verify: 168
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 137, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.64.250.19/4500, remote crypto endpt.: 212.100.68.20/1554
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: EB918365

    inbound esp sas:
      spi: 0x2E0E9398 (772707224)
         transform: esp-aes esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 48, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 28701
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xEB918365 (3952182117)
         transform: esp-aes esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 48, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 28692
         IV size: 16 bytes
         replay detection support: Y

Looking at the in use settings of both inbound and outband  esp sas, I see that the internet VPN sesion has  NAT-T-Encaps, while it does not appear in the VPN session formed by client on the Subcriber Network.

Ivan Martinon Fri, 02/19/2010 - 14:16

Exactly, so you will need to check that the clients that are connecting have the option "transparent tunneling" enabled on UDP NAT/PAT and try to connect agian, as well in this scenario it totally means that ESP is not being passed back from the filtering device infront of your Subscriber Networks.

If you can please add a copy of your config on the Corporate Side

Samuel Akindele Fri, 02/19/2010 - 16:18

Enable Transparent Tunneling is checked and IPSec over UDP (NAT/PAT) option is selected on all VPN client.

If after connection is established, ESP from the Enterprise Firewall to the VPN client is being filter by the Subscriber Network Firewall, how do I resolve this?  Could this be because both firewalls are on the same network (no router between them)? Before now, the Subscriber and Enterprise Network had separate internet connections and remote VPN client worked well.

In my quest for a solution, I configured a remote VPN on a cisco 870 series ISR. The router have a LAB network on the LAN side and I connected the WAN interface to the inside of the Enterprise network. VPN client from the Subscriber Network establish connection and can reach all require nodes on the LAB network.

Here is the show crypto ipsec sa

Router#show crypto ipsec sa

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 172.25.101.15

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.106.5/255.255.255.255/0/0)
   current_peer 41.138.183.195 port 3460
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 282, #pkts encrypt: 282, #pkts digest: 282
    #pkts decaps: 1275, #pkts decrypt: 1275, #pkts verify: 1275
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 2

     local crypto endpt.: 172.25.101.15, remote crypto endpt.: 41.138.183.195
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x3493902F(882085935)

     inbound esp sas:
      spi: 0x626B49BC(1651198396)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 11, flow_id: Motorola SEC 1.0:11, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4583768/2093)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3493902F(882085935)
        transform: esp-3des esp-sha-hmac ,
       in use settings ={Tunnel UDP-Encaps, }
        conn id: 12, flow_id: Motorola SEC 1.0:12, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4583904/2093)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

What can I do to resolve the problem?

How do I add a copy of my config on the Corporate Side?

Ivan Martinon Fri, 02/19/2010 - 16:30

ESP being filtered is quite a common issue and that is because ESP is porteless, on the other hand what we need to find out is why the client despite of the fact that NAT-T is enabled on the server and it has Transparent tunneling enabled on it is still negotiating on ESP. For instance we need to find out if there is any kind of nat on the Subscriber firewall since this is the only way NAT-T is gonna kick in. Is this Subscriber firewall a Cisco FW?

Samuel Akindele Fri, 02/19/2010 - 21:57

There is no NAT on the Subscriber Firewall, IP addresses are assigned to the Subscriber devices by a dhcp server on their network, these IPs are permitted to any on the outside interface of the Firewall. The Enterprise Firewall have a static private IP address, the private IP address, have a Public IP address NAT on the internet edge routers to allow VPN sessions from the internet.

The Subscriber Firewall is not Cisco, it is a Huawei Eudemon Firewall. 

Actions

This Discussion

Related Content