ASA drops returning vpn traffic from bottom 1/4 of a /22 subnet

Unanswered Question
Jun 28th, 2010

Hi all

I have an interesting problem with a Cisco ASA 5540 and returning traffic to a vpn client being dropped.

The solution looks like this

vpn-client --> [ASA5540] ----> Cat6k -----> (TLS MAN ) ----> [Cat4k] ----> <subnet on Cat 4k 10.161.0.0 /22>

The Cat4k destination interface is as follows

interface Vlan1

ip address 10.161.0.1 255.255.252.0

no ip redirects

The ASA can ping the ingress and egress interfaces of the Cat6k

The ASA can across the Transparent LAN service (MAN) onto a IP address on the CAT4k

The ASA can ping any address on the Cat4k within the 10.161.0.0 /22 addressed vlan.

But when a VPN client establishes a remote access IPSEC tunnel onto the ASA,

The vpn client can ping the ingress and egress interfaces of the Cat6k

The vpn client can ping across the Transparent LAN service (MAN) onto an IP address on the Cat4k

BUT the vpn client can only ping hosts within the 10.161.0.0/22 address space from 10.161.1.1 up to 10.161.3.254

All addresses from 10.161.0.1 up to 10.161.0.255 are not reachable by either TCP or ICMP.

I performed a real-time captures on the ingress of the inside interface of the ASA to see if the traffic was actually getting back to the ASA, to rule out a routing or switching problem.

The following is a successful test from vpn client 10.162.104.60 to 10.161.2.2 /22

<hostname># capture test interface inside real-time match icmp host 10.161.2.1$

   1: 12:18:21.825183 10.162.104.60 > 10.161.2.1: icmp: echo request

   2: 12:18:21.826296 10.161.2.1 > 10.162.104.60: icmp: echo reply

   3: 12:18:22.825900 10.162.104.60 > 10.161.2.1: icmp: echo request

   4: 12:18:22.831545 10.161.2.1 > 10.162.104.60: icmp: echo reply

The client receives a reply

<host>$ ping 10.161.2.1

PING 10.161.2.1 (10.161.2.1): 56 data bytes

64 bytes from 10.161.2.1: icmp_seq=0 ttl=126 time=6.270 ms

64 bytes from 10.161.2.1: icmp_seq=1 ttl=126 time=11.688 ms

The following is an unsuccessful test from vpn client 10.162.104.60 to 10.161.0.1 in the same subnet

It shows the echo reply traffic actually coming back to the ASA

<hostname># capture test interface inside real-time match icmp host 10.161.0.1$
   1: 12:21:48.762381 10.162.104.60 > 10.161.0.1: icmp: echo request
   2: 12:21:48.769933 10.161.0.1 > 10.162.104.60: icmp: echo reply
   3: 12:21:49.756155 10.162.104.60 > 10.161.0.1: icmp: echo request
   4: 12:21:49.757452 10.161.0.1 > 10.162.104.60: icmp: echo reply

Although the vpn client does not receive the packet.

<host>$ ping 10.161.0.1

PING 10.161.0.1 (10.161.0.1): 56 data bytes

Request timeout for icmp_seq 0

Request timeout for icmp_seq 1

Request timeout for icmp_seq 2

(This was tested on both Windows Cisco vpn client and MAC vpn client version 4.9.01.0180)

Yet the ASA can ping both ip addresses from its inside interface

<hostname>## ping 10.161.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.161.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
<hostname># ping 10.161.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.161.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
<hostname>#
===================================================
There are no acces-lists or filters or firewalls or IPS anywhere along the path of the traffic except for the ASA itself.
My ASA config basics are as follows.
route - inside 10.0.0.0 255.0.0.0 <Cat6k hsrp>
split-tunnel - IP 10.161.0.0 255.255.0.0 to 10.162.104.0 255.255.255.0
nat execpt statement - IP 10.0.0.0 255.0.0.0 to 10.162.104.0 255.255.255.0
Can anyone provide me with some suggestions?
Regards,
Dale
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
koeppend Mon, 06/28/2010 - 21:09

Further to my post:

ASA version:

Cisco Adaptive Security Appliance Software Version 8.2(2)

Device Manager Version 6.2(3)

Regards Dale
Jennifer Halim Tue, 06/29/2010 - 04:30

Split tunnel ACL should be standard ACL. Base on your post, I am under the impression that split tunnel ACL is extended ACL, but pls ignore if it's standard ACL.

Any chance you can post the config of the ASA? Base on the output provided so far, config seems to be OK, and seems like ASA is getting the ICMP echo and echo reply. Would be interested to see if it's actually being forwarded out the VPN tunnel.

Apart from ping, can you try TCP based application and see how it goes?

koeppend Thu, 07/22/2010 - 19:15

Resolved the problem.

ASA had a static site to site vpn setup to an overseas location.

The protected access list for this site to site vpn covered traffic destined for 10.0.0.0/8 (access list was rather broad)

Return traffic for the RA vpn users was being then being flagged for encryption into the site to site vpn instead of the RA vpn users connection.

Amended the protected access-list for the site to site vpn that denied the source addresses of the RA vpn pool.

It still does not explain why the RA vpn connections would respond to only part of the subnet, it should have been all or nothing.

><

Actions

This Discussion