Site-to-Site between RVS4000 and ASA 5510

Unanswered Question
May 3rd, 2010

I've been able to, with much trial and error, establish the tunnel between my main office, the ASA, and the remote office, the RVS4000.

However, I can't get traffic to work through the tunnel.  I used the wizard to setup the tunnel on the ASA end, and then manually setup connection on RVS end.  Do i need to add explicit settings to the firewall rules to allow traffic?  It did add entries to the ACL list, so I assumed it should be working without additional settings.  Any help appreciated.

gene

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Mon, 05/03/2010 - 13:03

Hi,

By default on the ASA, all VPN traffic should be permitted without being checked by the outside ACL.

Check if you have the command: sysopt connection permit-vpn

Also, the interesting traffic should be a mirror on both ends.

The routing should be fine to reach the remote LAN through the tunnel.

You can enable:  management-access inside

on the ASA and try to PING the inside IP from the RVS4000 local network.

Federico.

gene.mccullough Wed, 05/05/2010 - 06:35

Frederico, thanks for the reply.  I tried those, no joy.  I continue to get destination host unreachable when pinging out or in, I get nothing in either logs to show it is getting to either device.  I'm still trying, but not sure what to try from here.

Tunnel is stable, still connected.  I can post any of the config if it will help.

TIA

gene

Federico Coto F... Wed, 05/05/2010 - 07:23

Gene,

Let's do the following:

Please post the output of:

sh cry isa sa

sh cry ips sa

From the ASA

Those commands should tell us if the tunnel is established and if traffic is passing through.

Federico.

gene.mccullough Wed, 05/05/2010 - 07:28

Result of the command: "sh cry isa sa"

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 67.60.168.34
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Result of the command: "sh cry ips sa"

interface: CableOne
    Crypto map tag: CableOne_map, seq num: 1, local addr: 24.116.132.42

      access-list CableOne_1_cryptomap permit ip 172.16.100.0 255.255.252.0 FriscoCenter 255.255.255.0
      local ident (addr/mask/prot/port): (172.16.100.0/255.255.252.0/0/0)
      remote ident (addr/mask/prot/port): (FriscoCenter/255.255.255.0/0/0)
      current_peer: 67.60.168.34

      #pkts encaps: 99, #pkts encrypt: 99, #pkts digest: 99
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 99, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 24.116.132.42, remote crypto endpt.: 67.60.168.34

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 10F0CC1C

    inbound esp sas:
      spi: 0x32C3D2C6 (851694278)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 13172736, crypto-map: CableOne_map
         sa timing: remaining key lifetime (kB/sec): (3914999/28635)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000003FF
    outbound esp sas:
      spi: 0x10F0CC1C (284216348)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 1, }
         slot: 0, conn_id: 13172736, crypto-map: CableOne_map
         sa timing: remaining key lifetime (kB/sec): (3914994/28635)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Thanks

Federico Coto F... Wed, 05/05/2010 - 07:34

The tunnel is up and working.
I see packets flowing through the tunnel between the local LAN behind the ASA 172.16.100.0/22 and a remote network called FriscoCenter

Try the following:
Enable the command: management-access inside
Try to PING from the ASA to the remote side by doing: ping inside x.x.x.x (where x.x.x.x is an IP on the FriscoCenter)

Make sure that both LANs have a route to the remote network pointing to the VPN device.

Federico.

Pravin Phadte Wed, 05/05/2010 - 08:03

Hi,

1. When u say no traffic is flowing .. what do u mean you are unable to ping ?

2. How many tunnels are configued on ASA and on RVS4000?

I see the the traffic on the tunnel on ASA end.

- Check the access-list again.(subnet mask)

- Clear the tunnel on ASA end. (clear crypto isakmp sa) or (clear crypto isakmp sa perr x.x.x.x)

Regards,

Pravin

Actions

This Discussion