Site-to-Site between RVS4000 and ASA 5510

Unanswered Question
May 3rd, 2010
User Badges:

I've been able to, with much trial and error, establish the tunnel between my main office, the ASA, and the remote office, the RVS4000.


However, I can't get traffic to work through the tunnel.  I used the wizard to setup the tunnel on the ASA end, and then manually setup connection on RVS end.  Do i need to add explicit settings to the firewall rules to allow traffic?  It did add entries to the ACL list, so I assumed it should be working without additional settings.  Any help appreciated.


gene

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 05/03/2010 - 13:03
User Badges:
  • Green, 3000 points or more

Hi,


By default on the ASA, all VPN traffic should be permitted without being checked by the outside ACL.

Check if you have the command: sysopt connection permit-vpn


Also, the interesting traffic should be a mirror on both ends.

The routing should be fine to reach the remote LAN through the tunnel.


You can enable:  management-access inside

on the ASA and try to PING the inside IP from the RVS4000 local network.


Federico.

gene.mccullough Wed, 05/05/2010 - 06:35
User Badges:

Frederico, thanks for the reply.  I tried those, no joy.  I continue to get destination host unreachable when pinging out or in, I get nothing in either logs to show it is getting to either device.  I'm still trying, but not sure what to try from here.

Tunnel is stable, still connected.  I can post any of the config if it will help.

TIA

gene

Federico Coto F... Wed, 05/05/2010 - 07:23
User Badges:
  • Green, 3000 points or more

Gene,


Let's do the following:


Please post the output of:

sh cry isa sa

sh cry ips sa

From the ASA


Those commands should tell us if the tunnel is established and if traffic is passing through.


Federico.

gene.mccullough Wed, 05/05/2010 - 07:28
User Badges:

Result of the command: "sh cry isa sa"

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 67.60.168.34
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE


Result of the command: "sh cry ips sa"

interface: CableOne
    Crypto map tag: CableOne_map, seq num: 1, local addr: 24.116.132.42

      access-list CableOne_1_cryptomap permit ip 172.16.100.0 255.255.252.0 FriscoCenter 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.100.0/255.255.252.0/0/0)
      remote ident (addr/mask/prot/port): (FriscoCenter/255.255.255.0/0/0)
      current_peer: 67.60.168.34

      #pkts encaps: 99, #pkts encrypt: 99, #pkts digest: 99
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 99, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 24.116.132.42, remote crypto endpt.: 67.60.168.34

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 10F0CC1C

    inbound esp sas:
      spi: 0x32C3D2C6 (851694278)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 13172736, crypto-map: CableOne_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28635)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000003FF
    outbound esp sas:
      spi: 0x10F0CC1C (284216348)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 13172736, crypto-map: CableOne_map
         sa timing: remaining key lifetime (kB/sec): (3914994/28635)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


Thanks

Federico Coto F... Wed, 05/05/2010 - 07:34
User Badges:
  • Green, 3000 points or more

The tunnel is up and working.
I see packets flowing through the tunnel between the local LAN behind the ASA 172.16.100.0/22 and a remote network called FriscoCenter


Try the following:
Enable the command: management-access inside
Try to PING from the ASA to the remote side by doing: ping inside x.x.x.x (where x.x.x.x is an IP on the FriscoCenter)

Make sure that both LANs have a route to the remote network pointing to the VPN device.


Federico.

Pravin Phadte Wed, 05/05/2010 - 08:03
User Badges:
  • Silver, 250 points or more

Hi,


1. When u say no traffic is flowing .. what do u mean you are unable to ping ?

2. How many tunnels are configued on ASA and on RVS4000?


I see the the traffic on the tunnel on ASA end.


- Check the access-list again.(subnet mask)

- Clear the tunnel on ASA end. (clear crypto isakmp sa) or (clear crypto isakmp sa perr x.x.x.x)


Regards,

Pravin

Actions

This Discussion