SITE to SITE VPN - sonicwall and Cisco ASA

Unanswered Question
Apr 24th, 2010

Cisco ASA in configured with dynamic map and sonic wall enhanced version firewall is been configured for site to site vpn.

Tuneel is been formed but no traffic is passing through. Anyone can pls help me

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sat, 04/24/2010 - 08:47

Manish,

Do you see on the ASA the tunnel established?

sh cry isa sa  --> should show phase 1 as active or QM_IDLE

sh cry ips sa --> should show packets encrypted/decrypted

Since the ASA has a dynamic crypto map, the tunnel can only be established from the Sonicwall side.

If you enable ''management-access inside'' can you PING the inside IP of the ASA from the Sonicwall side? (assuming the inside IP is part of the interesting traffic).

Do you have the following commands:

cry isa nat-t

sysopt connection permit-vpn

Let's see the status of the tunnel and if packets are getting encrypted/decrypted.

Hope to help.

Federico.

QPM277111 Sat, 04/24/2010 - 09:30

Hi Federico,

Thanks for ur help.

sh cry isa sa is active.

I added the below 2 commands but still in sh crypto ipsec i dont find packets encrypted or decrypted.

Regards,

Manish

Federico Coto F... Sat, 04/24/2010 - 09:34

It means that phase1 is up but traffic is still not passing through the tunnel.

Try to bring up the tunnel from the Sonicwall side (sending traffic to the remote local network) and post the output of the debug commands that I suggested before.

The output of the debugs will show if there's a failure on phase2 or if something is missing/wrong on the negotiation of the tunnel.

Federico.

QPM277111 Sat, 04/24/2010 - 16:51

Hi,

Kindly find the ipsec logs

IPSEC: New embryonic SA created @ 0xB0F74F60,
    SCB: 0xB27EDE10,
    Direction: inbound
    SPI      : 0x90BA37ED
    Session ID: 0x009F5000
    VPIF num  : 0x00000001
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: New embryonic SA created @ 0xB37016B0,
    SCB: 0xB08388C8,
    Direction: outbound
    SPI      : 0xACE955EE
    Session ID: 0x009F5000
    VPIF num  : 0x00000001
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC: Completed host OBSA update, SPI 0xACE955EE
IPSEC: Creating outbound VPN context, SPI 0xACE955EE
    Flags: 0x00000005
    SA   : 0xB37016B0
    SPI  : 0xACE955EE
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x00000000
    SCB  : 0x7C51F9E3
    Channel: 0xAAD095B0
IPSEC: Completed outbound VPN context, SPI 0xACE955EE
    VPN handle: 0x0133A014
IPSEC: New outbound encrypt rule, SPI 0xACE955EE
    Src addr: 10.3.220.0
    Src mask: 255.255.255.0
    Dst addr: 10.64.117.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed outbound encrypt rule, SPI 0xACE955EE
    Rule ID: 0xAC529B20
IPSEC: New outbound permit rule, SPI 0xACE955EE
    Src addr: 200.*.*.*  

Src mask: 255.255.255.255
    Dst addr: 200.*.*.*

    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0xACE955EE
    Use SPI: true
IPSEC: Completed outbound permit rule, SPI 0xACE955EE
    Rule ID: 0xAF532358
IPSEC: Completed host IBSA update, SPI 0x90BA37ED
IPSEC: Creating inbound VPN context, SPI 0x90BA37ED
    Flags: 0x00000006
    SA   : 0xB0F74F60
    SPI  : 0x90BA37ED
    MTU  : 0 bytes
    VCID : 0x00000000
    Peer : 0x0133A014
    SCB  : 0x7C469F0F
    Channel: 0xAAD095B0
IPSEC: Completed inbound VPN context, SPI 0x90BA37ED
    VPN handle: 0x0133C16C
IPSEC: Updating outbound VPN context 0x0133A014, SPI 0xACE955EE
    Flags: 0x00000005
    SA   : 0xB37016B0
    SPI  : 0xACE955EE
    MTU  : 1500 bytes
    VCID : 0x00000000
    Peer : 0x0133C16C
    SCB  : 0x7C51F9E3
    Channel: 0xAAD095B0
IPSEC: Completed outbound VPN context, SPI 0xACE955EE
    VPN handle: 0x0133A014
IPSEC: Completed outbound inner rule, SPI 0xACE955EE
    Rule ID: 0xAC529B20
IPSEC: Completed outbound outer SPD rule, SPI 0xACE955EE
    Rule ID: 0xAF532358
IPSEC: New inbound tunnel flow rule, SPI 0x90BA37ED
    Src addr: 10.64.117.0
Src mask: 255.255.255.0
    Dst addr: 10.3.220.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false
IPSEC: Completed inbound tunnel flow rule, SPI 0x90BA37ED
    Rule ID: 0xAF4A3EE8
IPSEC: New inbound decrypt rule, SPI 0x90BA37ED
    Src addr: 200.*.*.*   

    Src mask: 255.255.255.255
    Dst addr: 200.*.*.*   

    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x90BA37ED
    Use SPI: true
IPSEC: Completed inbound decrypt rule, SPI 0x90BA37ED
    Rule ID: 0xAF30F698
IPSEC: New inbound permit rule, SPI 0x90BA37ED
    Src addr: 200.*.*.*   

    Src mask: 255.255.255.255
    Dst addr: 200.*.*.*   

    Dst mask: 255.255.255.255
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 50
    Use protocol: true
    SPI: 0x90BA37ED
    Use SPI: true
IPSEC: Completed inbound permit rule, SPI 0x90BA37ED
    Rule ID: 0xB08DC988

QPM277111 Sun, 04/25/2010 - 01:58

no Federico,

These are asa deuch crypto ipsec sa.

It seems that problem is with part.

PSEC: New outbound encrypt rule, SPI 0xFF019CE8
    Src addr: 10.3.90.0
    Src mask: 255.255.255.0
    Dst addr: 10.64.117.0
    Dst mask: 255.255.255.0
    Src ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Dst ports
      Upper: 0
      Lower: 0
      Op   : ignore
    Protocol: 0
    Use protocol: false
    SPI: 0x00000000
    Use SPI: false

SPI should not be false. I assume that the problem is with nat trasversal. But unluck to find that

Federico Coto F... Sun, 04/25/2010 - 08:14

Please check the following..

The transform-set on the ASA for this tunnel should match the parameters of phase 2 configuration on the sonicwall.

Those parameters are encryption DES, 3DES or AES and hash algorithm MD5 or SHA-1

Also, the interesting traffic should be a mirror between both locations.

Could you confirm this?

Federico.

Actions

This Discussion

Related Content