05-27-2010 05:16 AM
Hi,
I need help with this one, I have two identical VPN tunnel with two different clients that need to access one of our internal server, one of them (ClientA) is working fine but for the other one (ClientB) I only see traffic from the remote peer (RX ok but no TX). I have put a sniffer on the ports where the ASA and the server are connected and I saw that the traffic is reaching the server and the traffic reach the ASA back from the server then nothing....
see the result of sh crypto ipsec sa below and a part of the config for those two clients
------------------
address:
local peer 100.100.100.178
local network 10.10.10.0 / 24
local server they need to access 10.10.10.10
ClientA remote peer 200.200.200.200
ClientA remote network 172.16.200.0 / 20
ClientB remote peer 160.160.143.4
ClientB remote network 10.15.160.0 / 21
---------------------------
Result of the command: "SH crypto ipsec sa peer 160.160.143.4 det"
peer address: 160.160.143.4
Crypto map tag: outside_map, seq num: 3, local addr: 100.100.100.178
access-list outside_cryptomap permit ip host 10.10.10.10 10.15.160.0 255.255.248.0
local ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.15.160.0/255.255.248.0/0/0)
current_peer: 160.160.143.4
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 827, #pkts decrypt: 827, #pkts verify: 827
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 100.100.100.178, remote crypto endpt.: 160.160.143.4
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C2AC8AAE
inbound esp sas:
spi: 0xD88DC8A9 (3633170601)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 5517312, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373959/20144)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC2AC8AAE (3266087598)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 5517312, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/20144)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
------------------Part of the config
ASA Version 8.2(1)
!
name 172.16.200.0 ClientA
name 10.15.160.0 ClientB
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 100.100.100.178 255.255.255.240
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.10.10.0 255.255.255.0
!
access-list outside_1_cryptomap extended permit ip host 10.10.10.10 ClientA 255.255.240.0
access-list inside_nat0_outbound_1 extended permit ip host 10.10.10.10 ClientA 255.255.240.0
access-list inside_nat0_outbound_1 extended permit ip host 10.10.10.10 ClientB 255.255.248.0
access-list outside_cryptomap extended permit ip host 10.10.10.10 ClientB 255.255.248.0
nat-control
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 100.100.100.177
route inside 10.10.10.0 255.255.255.0 10.10.10.254 1
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 200.200.200.200
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_cryptomap
crypto map outside_map 3 set peer 160.160.143.4
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp ipsec-over-tcp port 10000
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec svc
group-policy ClientA internal
group-policy ClientA attributes
vpn-tunnel-protocol IPSec svc
group-policy ClientB internal
group-policy ClientB attributes
vpn-tunnel-protocol IPSec
tunnel-group 160.160.143.4 type ipsec-l2l
tunnel-group 160.160.143.4 general-attributes
default-group-policy ClientB
tunnel-group 160.160.143.4 ipsec-attributes
pre-shared-key xxx
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 general-attributes
default-group-policy ClientA
tunnel-group 200.200.200.200 ipsec-attributes
pre-shared-key yyy
Thanks
A.
Solved! Go to Solution.
05-27-2010 05:23 AM
Hi,
It seems that the ASA is not encrypting traffic to the second peer (however there's no routing issue).
I've seen this behaviors in 7.x code not on 8.x code
However can you do a test?
Can you change the order of the crypto maps?
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 160.160.143.4
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 3 match address outside_1_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 200.200.200.200
crypto map outside_map 3 set transform-set ESP-3DES-SHA
I just want to see if by setting the non-working peer to be the first one it works.....
I know that it should work the way you have it, I just want to see if its the same behavior that I've seen.
Thank you.
Federico.
05-27-2010 05:23 AM
Hi,
It seems that the ASA is not encrypting traffic to the second peer (however there's no routing issue).
I've seen this behaviors in 7.x code not on 8.x code
However can you do a test?
Can you change the order of the crypto maps?
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 160.160.143.4
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 3 match address outside_1_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 200.200.200.200
crypto map outside_map 3 set transform-set ESP-3DES-SHA
I just want to see if by setting the non-working peer to be the first one it works.....
I know that it should work the way you have it, I just want to see if its the same behavior that I've seen.
Thank you.
Federico.
05-27-2010 05:53 AM
By any chance do you know if I can change that priority in ADSM without deleting / re-creating the connection profile ?
Thanks
A.
05-27-2010 06:17 AM
Don't think so :-(
Federico.
05-27-2010 06:45 AM
You're right I have deleted them and re-creted so that ClientB have crypto map priority 1 and it work... so now I'll have to find a patch for that.
Thanks for your help
A.
05-27-2010 06:54 AM
Alain,
You might be hitting a bug :-(
Could you try an upgrage to 8.2(2)?
Federico.
05-27-2010 06:58 AM
I'll try but unfortunately, I wont be able to do this before a couple of weeks
Thanks
A.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide