ASA L2L VPN UP with only incoming traffic

Answered Question

Hi,

I need help with this one, I have two identical VPN tunnel with two different clients that need to access one of our internal server, one of them (ClientA) is working fine but for the other one (ClientB) I only see traffic from the remote peer (RX ok but no TX). I have put a sniffer on the ports where the ASA and the server are connected and I saw that the traffic is reaching the server and the traffic reach the ASA back from the server then nothing....

see the result of sh crypto ipsec sa below and a part of the config for those two clients

------------------

address:

local peer 100.100.100.178

local network 10.10.10.0 / 24

local server they need to access 10.10.10.10

ClientA remote peer 200.200.200.200

ClientA remote network 172.16.200.0 / 20

ClientB remote peer 160.160.143.4

ClientB remote network 10.15.160.0 / 21

---------------------------

Result of the command: "SH crypto ipsec sa peer 160.160.143.4 det"

peer address: 160.160.143.4
Crypto map tag: outside_map, seq num: 3, local addr: 100.100.100.178

access-list outside_cryptomap permit ip host 10.10.10.10 10.15.160.0 255.255.248.0
local ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.15.160.0/255.255.248.0/0/0)
current_peer: 160.160.143.4

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 827, #pkts decrypt: 827, #pkts verify: 827
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: 100.100.100.178, remote crypto endpt.: 160.160.143.4

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C2AC8AAE

inbound esp sas:
spi: 0xD88DC8A9 (3633170601)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 5517312, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373959/20144)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC2AC8AAE (3266087598)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 5517312, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/20144)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

------------------Part of the config

ASA Version 8.2(1)

!

name 172.16.200.0 ClientA

name 10.15.160.0 ClientB

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 100.100.100.178 255.255.255.240

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.10.10.0 255.255.255.0

!

access-list outside_1_cryptomap extended permit ip host 10.10.10.10 ClientA 255.255.240.0

access-list inside_nat0_outbound_1 extended permit ip host 10.10.10.10 ClientA 255.255.240.0

access-list inside_nat0_outbound_1 extended permit ip host 10.10.10.10 ClientB 255.255.248.0

access-list outside_cryptomap extended permit ip host 10.10.10.10 ClientB 255.255.248.0

nat-control

global (outside) 101 interface

nat (inside) 0 access-list inside_nat0_outbound_1

nat (inside) 101 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 100.100.100.177

route inside 10.10.10.0 255.255.255.0 10.10.10.254 1

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 200.200.200.200

crypto map outside_map 1 set transform-set ESP-3DES-SHA

crypto map outside_map 3 match address outside_cryptomap

crypto map outside_map 3 set peer 160.160.143.4

crypto map outside_map 3 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

crypto isakmp policy 20

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto isakmp ipsec-over-tcp port 10000

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol IPSec svc

group-policy ClientA internal

group-policy ClientA attributes

vpn-tunnel-protocol IPSec svc

group-policy ClientB internal

group-policy ClientB attributes

vpn-tunnel-protocol IPSec

tunnel-group 160.160.143.4 type ipsec-l2l

tunnel-group 160.160.143.4 general-attributes

default-group-policy ClientB

tunnel-group 160.160.143.4 ipsec-attributes

pre-shared-key xxx

tunnel-group 200.200.200.200 type ipsec-l2l

tunnel-group 200.200.200.200 general-attributes

default-group-policy ClientA

tunnel-group 200.200.200.200 ipsec-attributes

pre-shared-key yyy

Thanks

A.

I have this problem too.
0 votes
Correct Answer by Federico Coto F... about 6 years 6 months ago

Hi,

It seems that the ASA is not encrypting traffic to the second peer (however there's no routing issue).

I've seen this behaviors in 7.x code not on 8.x code

However can you do a test?

Can you change the order of the crypto maps?

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 160.160.143.4

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 3 match address outside_1_cryptomap

crypto map outside_map 3 set pfs

crypto map outside_map 3 set peer 200.200.200.200

crypto map outside_map 3 set transform-set ESP-3DES-SHA

I just want to see if by setting the non-working peer to be the first one it works.....

I know that it should work the way you have it, I just want to see if its the same behavior that I've seen.

Thank you.

Federico.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Federico Coto F... Thu, 05/27/2010 - 05:23

Hi,

It seems that the ASA is not encrypting traffic to the second peer (however there's no routing issue).

I've seen this behaviors in 7.x code not on 8.x code

However can you do a test?

Can you change the order of the crypto maps?

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 160.160.143.4

crypto map outside_map 1 set transform-set ESP-3DES-MD5

crypto map outside_map 3 match address outside_1_cryptomap

crypto map outside_map 3 set pfs

crypto map outside_map 3 set peer 200.200.200.200

crypto map outside_map 3 set transform-set ESP-3DES-SHA

I just want to see if by setting the non-working peer to be the first one it works.....

I know that it should work the way you have it, I just want to see if its the same behavior that I've seen.

Thank you.

Federico.

Actions

This Discussion